Zero-Day Attacks Hit Record High as Enterprise Software Becomes Prime Target

Imagine discovering a hidden door into your company’s most secure systems—a door the builders didn’t know existed. That’s the reality of zero-day vulnerabilities, and according to Google’s Threat Intelligence Group, attackers are finding more of these secret entrances than ever before. Their latest analysis reveals a troubling shift in where cybercriminals are focusing their efforts.

The numbers are stark. In 2025, Google tracked 90 zero-day vulnerabilities that were actively exploited before patches were available. That’s up from 78 the previous year. What’s more significant than the total count, however, is where these attacks are landing. Nearly half—48%—targeted enterprise software and appliances directly. The corporate network is no longer just a pathway to individual targets; it’s become the main prize.

Why Attackers Are Targeting Your Company’s Core Infrastructure

Google’s researchers describe this as a “structural change in the threat landscape.” Why the sudden pivot? Enterprise tools offer something attackers crave: leverage. A single vulnerability in a security appliance or network switch can provide privileged access across an entire organization. It’s the digital equivalent of stealing a master key instead of picking individual locks.

Think about what sits at the edge of your network. Routers, firewalls, VPN concentrators—these devices often operate with high-level permissions. They’re also frequently overlooked during routine security checks. Attackers know this. They’ve realized that compromising one edge device can open pathways to sensitive data, financial systems, and intellectual property on a massive scale.

“Attackers are deeply embedding themselves in critical business infrastructure,” the Google report states. This isn’t about stealing a single laptop anymore. It’s about establishing a persistent, privileged position within the very systems that keep a business running.

Security Appliances: The New Front Line

Here’s a sobering statistic: of the zero-days targeting enterprise technology, almost half—21 out of 43—specifically hit security and networking solutions. The very tools designed to protect organizations are becoming primary targets. The irony is painful, but the logic is coldly rational from an attacker’s perspective.

Why target a security appliance? Because success grants extraordinary power. These systems often have permissions to inspect traffic, manage access controls, and communicate with nearly every other device on the network. A compromised firewall doesn’t just fail to protect; it can actively facilitate attacks while remaining invisible to monitoring tools.

This targeting represents a fundamental evolution in cyber strategy. Attackers are bypassing traditional defenses by exploiting the defenders’ own tools. It’s a reminder that no software is inherently trustworthy, and that defense-in-depth must include the security products themselves.

End-User Threats Persist as Browser Attacks Decline

While enterprise targeting grows, individual users haven’t been forgotten. 52% of tracked zero-days in 2025 still targeted end-user platforms, with operating systems—particularly Microsoft Windows—remaining the most frequent victims. Mobile operating systems saw a notable jump, with 15 zero-days compared to nine the previous year.

One surprising bright spot emerged in the data: browser-based zero-days dropped to just eight, what Google calls a “historical low.” This isn’t necessarily because attackers have lost interest. Researchers suggest improved browser security has made exploitation harder, while sophisticated attackers have become better at hiding their tracks, making their activities less visible to researchers.

The gap between enterprise and end-user targeting is narrowing. As corporate infrastructure becomes more valuable to attackers, the traditional distinction between “work” and “personal” targets blurs. Your company’s network is now the battlefield.

Defending Against the Inevitable Attack

Google’s conclusion is blunt: prepare for when you’re targeted, not if. The continuous discovery of zero-days by nation-state groups, cybercriminals, and ransomware operations means every organization is potentially vulnerable. What separates the compromised from the secure isn’t perfect prevention—it’s effective response.

The report emphasizes architectural security. Systems should be designed with “ingrained security awareness,” implementing segmentation and least-privilege access by default. Know what assets you have. Maintain a real-time inventory that’s regularly audited. You can’t protect what you don’t know exists.

Continuous monitoring becomes non-negotiable. Pair anomaly detection in both systems and networks with refined, actionable alerts. The goal isn’t to prevent every attack—that’s increasingly impossible with zero-days—but to detect and respond to threats as they occur. Speed is everything when dealing with vulnerabilities that have no known patch.

Ultimately, the record number of zero-day exploits targeting enterprise software serves as a wake-up call. The attack surface has expanded beyond individual devices to encompass the entire infrastructure that supports modern business. Defense must evolve accordingly, recognizing that the tools we rely on for protection have themselves become targets.