CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Increase in Zero-Day Exploits in 2025

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Google Threat Intelligence Group (GTIG) reported tracking 90 zero-day vulnerabilities exploited in 2025, a 15% increase from 2024. Nearly half targeted enterprise software and appliances, with 43 (48%) zero-days identified, up from 36 (46%) in 2024. Memory safety issues accounted for 35% of these exploits. Commercial spyware vendors were the largest users of zero-days, surpassing state-sponsored groups. China-linked espionage groups remained the most active among state actors, while financially motivated actors also increased their use of zero-days. The most targeted enterprise systems included security appliances, networking infrastructure, VPNs, and virtualization platforms. Google recommends reducing attack surfaces, continuous monitoring, and rapid patching to mitigate risks.

Timeline

  1. 05.03.2026 17:03 2 articles · 1d ago

    GTIG Reports 90 Zero-Day Exploits in 2025

    Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in 2025, a 15% increase from 2024. Nearly half targeted enterprise software and appliances. Memory safety issues accounted for 35% of these exploits. Commercial spyware vendors were the largest users of zero-days, surpassing state-sponsored groups. China-linked espionage groups remained the most active among state actors, while financially motivated actors also increased their use of zero-days. The number of zero-days targeting enterprise software and appliances rose to 43 (48%) in 2025, up from 36 (46%) in 2024. Security and networking solutions were prominent targets, with 21 zero-days identified. Browser-based zero-days reached a historic low of 8 (9%), while mobile operating systems saw a notable increase in targeting, with 15 zero-days in 2025 compared to 9 in 2024. Nine zero-days were linked to financially motivated threat groups, nearly double the five in 2024.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Increase in Zero-Day and One-Day Exploits in 2025

In 2025, 28.96% of known exploited vulnerabilities (KEVs) were exploited before or on the day of public disclosure, up from 23.6% in 2024. VulnCheck identified 884 new vulnerabilities with evidence of exploitation, a 15% increase from 2024. Network edge devices, content management systems, and open-source software were the most targeted technologies. Time-to-exploitation patterns remained consistent with 2024, with operating systems being the most affected by zero-day and one-day exploits. Ransomware attribution continued to lag behind initial exploitation disclosure.

Open in new tab

Critical WSUS RCE Vulnerability Exploited in the Wild

A critical remote code execution (RCE) vulnerability (CVE-2025-59287) in Windows Server Update Service (WSUS) is being actively exploited in the wild. The flaw allows attackers to run malicious code with SYSTEM privileges on Windows servers with the WSUS Server role enabled. Microsoft has released out-of-band patches for all affected Windows Server versions. Cybersecurity firms have observed exploitation attempts and the presence of publicly available proof-of-concept exploit code. The vulnerability is considered potentially wormable between WSUS servers and poses a significant risk to organizations. The flaw concerns a case of deserialization of untrusted data in WSUS. The vulnerability was discovered and reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH. CISA and NSA, along with international partners, have issued guidance to secure Microsoft Exchange Server instances, including recommendations to restrict administrative access, implement multi-factor authentication, and enforce strict transport security configurations. The agencies advise decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Sophos reported threat actors exploiting the vulnerability to harvest sensitive data from U.S. organizations across various industries, with at least 50 victims identified. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update. Attackers use Base64-encoded PowerShell commands to exfiltrate data to a webhook[.]site endpoint. Michael Haag of Splunk noted an alternate attack chain involving the Microsoft Management Console binary (mmc.exe) to trigger cmd.exe execution. Recently, threat actors have been exploiting CVE-2025-59287 to distribute ShadowPad malware, a modular backdoor used by Chinese state-sponsored hacking groups. Attackers used PowerCat, certutil, and curl to obtain a system shell and download ShadowPad. The malware is launched via DLL side-loading and comes with anti-detection and persistence techniques.

Open in new tab

73 Zero-day Vulnerabilities Exploited in Pwn2Own Ireland 2025

The Pwn2Own Ireland 2025 hacking competition concluded with security researchers collecting $1,024,750 in cash awards after exploiting 73 zero-day vulnerabilities. The event, held in Cork, Ireland, targeted vulnerabilities in various devices, including smartphones, messaging apps, smart home devices, printers, and more. The Zero Day Initiative (ZDI) operates the event to identify security flaws before threat actors can exploit them. Summoning Team won the competition with 22 Master of Pwn points and $187,500 earned throughout the three-day event. Team ANHTUD secured the second position with $76,750 and 11.5 Master of Pwn points, while Team Synactiv took third place with $90,000 in prizes and 11 Master of Pwn points. The event featured eight categories, including new attack vectors for mobile devices, and offered a $1 million reward for a zero-click WhatsApp exploit. On the first day, researchers demoed 34 unique zero-days and collected $522,500 in cash awards. Team DDOS chained eight zero-day flaws to hack a QNAP Qhora-322 Ethernet wireless router and gain access to a QNAP TS-453E NAS device, earning $100,000. On the second day, researchers exploited 56 unique zero-day vulnerabilities and collected $792,750 in cash awards. Ken Gannon and Dimitrios Valsamaras hacked the Samsung Galaxy S25, earning $50,000 and 5 Master of Pwn points. On the third day, the Samsung Galaxy S25 was hacked by Interrupt Labs via an improper input validation bug, earning 5 Master of Pwn points and $50,000.

Open in new tab

Challenges in Vulnerability Management and the Rise of Network Device Exploits

The vulnerability management market faces significant challenges due to an overwhelming number of vulnerabilities and ineffective strategies. The industry is struggling to adapt to the shift to cloud environments and the increasing exploitation of network edge devices. Between 2023 and 2024, the percentage of edge devices exploited by vulnerabilities surged from 3% to 22%. Organizations are actively patching network device vulnerabilities, but only 54% were fully remediated last year, taking a median of 32 days. Meanwhile, the average time to exploit vulnerabilities has dropped to five days. The industry needs to reshape its approach to address these issues, focusing on integrated risk management solutions and automating network device protection to keep up with the expanding attack surface and increasing risk.

Open in new tab

Image I/O Framework Zero-Day Exploited in Targeted Attacks

The zero-day vulnerability CVE-2025-43300 in Apple's Image I/O framework was exploited in targeted attacks against specific individuals. The flaw, an out-of-bounds write issue, was used in combination with a WhatsApp zero-day flaw (CVE-2025-55177) in sophisticated attacks potentially involving nation-state actors or spyware activity. The vulnerability affects multiple iOS, iPadOS, and macOS versions, as well as various iPhone, iPad, and Mac models. Apple has backported fixes for CVE-2025-43300 to older versions, including iOS 16.7.12, iPadOS 16.7.12, iOS 15.8.5, and iPadOS 15.8.5. Users are advised to update promptly to mitigate potential ongoing attacks. The flaw was discovered by Apple security researchers and impacts both older and newer devices. This is the seventh zero-day exploited in the wild since the start of the year. The flaw was addressed with improved bounds checking. Apple has patched a total of seven zero-day vulnerabilities exploited in the wild since the start of the year. The vulnerability was exploited in targeted attacks against specific individuals. Affected devices include iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPhone 8, iPhone 8 Plus, iPhone X, iPad Air 2, iPad mini (4th generation), iPad 5th generation, iPad Pro 9.7-inch, iPad Pro 12.9-inch 1st generation, iPod touch (7th generation), and Macs running macOS Sequoia, Sonoma, and Ventura. WhatsApp has also addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with the Apple flaw in targeted zero-day attacks. The WhatsApp vulnerability, CVE-2025-55177, is an insufficient authorization flaw in linked device synchronization messages. The flaw affects WhatsApp for iOS prior to version 2.25.21.73, WhatsApp Business for iOS version 2.25.21.78, and WhatsApp for Mac version 2.25.21.78. WhatsApp notified less than 200 users that they were targeted in an advanced spyware campaign over the last 90 days.

Open in new tab