Full Report
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities actively exploited throughout 2025, almost half of them in enterprise software and appliances. [...]
Analysis Summary
This summary is based on the Google Threat Intelligence Group (GTIG) 2025 Year in Review report. Note that the source article provides a high-level aggregate analysis of a 90-vulnerability dataset rather than a deep dive into a single specific CVE.
# Vulnerability: 2025 Zero-Day Exploitation Trends (Aggregate)
## CVE Details
- **CVE ID:** Diverse (90 unique identifiers tracked in 2025)
- **CVSS Score:** Generally 7.0 - 10.0 (**High to Critical**)
- **CWE:** Primarily CWE-416 (Use-after-free), CWE-20 (Improper Input Validation), CWE-502 (Deserialization of Untrusted Data), and CWE-287 (Improper Authentication).
## Affected Systems
- **Products:**
- **Operating Systems:** Windows, macOS, Android, iOS (39 combined).
- **Enterprise/Infrastructure:** VPNs, Security Appliances, Networking Gear, Virtualization Platforms.
- **Browsers:** Chrome, Safari, Firefox (8 total).
- **Versions:** Various (Focus on latest stable releases at time of exploitation).
- **Configurations:** Edge-facing devices and enterprise appliances with high privileges and limited EDR (Endpoint Detection and Response) visibility.
## Vulnerability Description
GTIG observed a shift toward **Enterprise and Edge infrastructure** vulnerability research. 35% of the 90 exploited zero-days were attributed to **memory safety issues** (e.g., memory corruption and use-after-free). The remainder consisted of logic-based flaws, including authorization bypasses and injection vulnerabilities. Attackers are increasingly targeting "blind spots"—systems that do not support traditional security agents—to maintain persistence.
## Exploitation
- **Status:** Exploited in the wild (Confirmed for all 90 cases).
- **Complexity:** Medium to High (Requirement for custom exploit chains).
- **Attack Vector:** Primarily **Network** (for edge/enterprise devices) and **Local** (for OS privilege escalation).
## Impact
- **Confidentiality:** **High** (Targeted data theft and espionage).
- **Integrity:** **High** (Full system takeover and malware deployment).
- **Availability:** **Medium to High** (Varies; focus is usually on persistence rather than disruption).
## Remediation
### Patches
- Users must ensure they are on the latest versions provided by the following top-targeted vendors:
- **Microsoft** (25 zero-days)
- **Google** (11 zero-days)
- **Apple** (8 zero-days)
- **Cisco/Fortinet** (4 each)
- **Ivanti/VMware** (3 each)
### Workarounds
- **Attack Surface Reduction:** Disable unnecessary services and internet-facing management ports.
- **Micro-segmentation:** Isolate edge appliances (VPNs, firewalls) from the core internal network.
- **Zero Trust:** Implement strict identity verification to mitigate the impact of authorization bypasses.
## Detection
- **Indicators of Compromise:** Unusual outbound traffic from security appliances; unauthorized account creation; unexpected system reboots.
- **Detection Methods:**
- Log Analysis: Monitor for anomalous API calls or "living off the land" (LotL) commands.
- Behavior Monitoring: Use network traffic analysis (NTA) to detect lateral movement from unmanaged devices.
## References
- **Google Cloud Blog:** hxxps[://]cloud[.]google[.]com/blog/topics/threat-intelligence/2025-zero-day-review
- **BleepingComputer:** hxxps[://]www[.]bleepingcomputer[.]com/news/security/google-says-90-zero-days-were-exploited-in-attacks-last-year/
- **GTIG Brickstorm Research:** hxxps[://]www[.]bleepingcomputer[.]com/news/security/google-brickstorm-malware-used-to-steal-us-orgs-data-for-over-a-year/