Google Report: Enterprise Tech Hit by Record 48% of Zero-Day Exploits in 2025
Google’s GTIG report tracks 90 zero-days exploited in 2025, revealing a strategic pivot toward enterprise infrastructure. Chinese APT activity has doubled as A…
The Google Threat Intelligence Group (GTIG) released its annual census in March 2026, documenting 90 zero-day vulnerabilities exploited in 2025—an increase from the 78 recorded in 2024. However, the total volume is less significant than the shifting distribution of these attacks. Browser exploits have plummeted to less than 10% of observed activity, while operating systems (OS) accounted for 39 flaws and enterprise technologies reached a record 43, representing 48% of the total. GTIG identifies a clear strategic driver: “As vendor mitigations evolve and increasingly prevent more simplistic exploitation, threat actors have been forced to expand or adjust their techniques.” This has triggered an irreversible shift in the battlefield: away from browsers, where defenders and vendors have successfully hardened the environment, and toward operating systems and edge appliances where visibility is limited and patching cycles remain sluggish. The ultimate risk is defensive blindness; where EDR cannot reach, the attacker advances undetected.
For a CISO, this indicates that the primary attack surface is no longer the user clicking a link, but the silent server running on the perimeter. With 48% of zero-days hitting the enterprise stack and OS flaws leading by volume, defensive models built strictly around the endpoint risk looking in the wrong direction.
- The offensive focus is shifting to opaque infrastructure: operating systems and enterprise appliances now attract the majority of zero-day activity.
- Chinese APTs have doubled their activity, leading the charge into these new battlefields supported by a structured, state-backed development ecosystem.
- In 2026, AI is expected to further compress the timeline from disclosure to exploit; comprehensive visibility across OS and appliances is becoming a survival requirement rather than a best practice.
GTIG Analysis: 90 Zero-Days and the Enterprise Record
The GTIG report, published in March 2026, details a significant evolution in threat dynamics. Enterprise technologies absorbed a record 48% of all identified zero-days. Operating systems emerged as the most targeted category, while browser exploits—historically the dominant vector—fell below the 10% threshold. Mobile OS attacks reached 15 documented cases. While the increase from 2024’s 78 zero-days is notable, the strategic signal lies in the concentration of effort.
This focus is intentional. Browsers have benefited from years of hardening and coordinated vendor responses that have successfully narrowed the exploit window. By pivoting to enterprise operating systems and network appliances, attackers are targeting areas where defenders possess less telemetry and agility. The 48% record suggests that attackers are choosing to deploy high-cost vulnerabilities against high-yield targets: the very infrastructure that sustains corporate operations.
43 out of 90 zero-days (48%) targeted enterprise technologies in 2025, a record high identified by the Google Threat Intelligence Group.
Why the Corporate Edge is Now a Primary Target
Firewalls, VPNs, routers, and security appliances remain primary targets due to a critical lack of EDR visibility, according to the GTIG report. These devices often operate as “black boxes” within the network, lacking the detection agents that would otherwise expose an intrusion. Furthermore, they are frequently subject to slower update cycles compared to traditional endpoints.
This represents a profound shift for security leadership. Until recently, the browser was the center of the threat model, characterized by frequent patches, granular visibility, and mature sandboxing. Today, initial compromise often occurs on perimeter appliances where EDR agents do not exist, with operating systems bearing the brunt of subsequent flaws. This absence of telemetry allows advanced actors to maintain persistence, install implants, and move laterally toward critical assets without leaving the digital breadcrumbs a modern endpoint would record.
Exploit chains no longer rely solely on a user’s browser; they originate in unprotected perimeter appliances and propagate through the infrastructure. The concentration of fire on these systems dictates that defenders must extend visibility beyond traditional endpoints, treating every edge appliance as a high-risk primary entry point.
Chinese APT Activity Doubles: UNC3886 and UNC5221 in Focus
Google’s analysis shows a 100% increase in zero-days attributed to Chinese espionage groups, with 10 identified in 2025 compared to 5 in 2024. John Hultquist, the group’s chief analyst, notes: “They have a significant zero-day development ecosystem that includes industry, academia, and government,” highlighting the structured and diversified apparatus driving these offensive operations.
This ecosystem allows Chinese actors to be early adopters of exploits targeting opaque infrastructure. Among the tracked groups, UNC3886 exploited at least one zero-day (the specific CVE identifier for which is not fully disclosed in available records). Additionally, UNC5221 has been linked to the malware known as “Brickstorm.” Full operational details for these campaigns remain partially restricted in the consulted source materials.
The trend is undeniable: Chinese groups are concentrating high-impact vulnerabilities against enterprise infrastructure, capitalizing on the same lack of visibility that makes the edge so attractive. Their ability to hit high-value targets with bespoke vulnerabilities reflects the industrial-scale ecosystem described by Hultquist. As this apparatus integrates AI-driven acceleration, defensive reaction times in 2026 are likely to be dangerously compressed.
AI Acceleration: Shrinking the Disclosure-to-Exploit Window
Looking beyond the 2025 data, the GTIG report identifies Artificial Intelligence as the next major catalyst in the attack chain. Casey Charrier, senior vulnerability intelligence analyst at Google, warns: “Vulnerability discovery and weaponization and exploit deployment can all be enhanced with these capabilities, creating potential for exploitation to be faster than ever before.”
For security teams, the acceleration of research, development, and deployment phases drastically reduces the time available for defense. GTIG predicts that by 2026, AI will make the exploit chain significantly faster. When AI simultaneously enhances discovery, weaponization, and deployment, the gap between public disclosure and in-the-wild exploitation could effectively collapse. CISOs must prepare for a future where the margin between a public vulnerability and an internal compromise is unpredictable and near-instantaneous.
Strategic Defensive Priorities
Priority 1 – Immediate Action: EDR-less Visibility on the Edge. Organizations must map all firewalls, VPNs, routers, and security appliances that cannot host EDR agents. It is critical to enable network logs, alternative telemetry, and compensating controls to detect persistence and lateral movement. These devices, flagged by GTIG as primary targets, require dedicated monitoring to replicate endpoint-level visibility.
Priority 2 – OS Hardening Against Emerging Flaws. Patch management procedures for server and workstation operating systems must be accelerated. Reducing the time between a fix release and its application is the primary defense against AI-driven exploit speed. Enterprise OS security must be treated with the same urgency as edge device security.
Priority 3 – Threat Hunting for UNC3886 and UNC5221 Indicators. SOCs should integrate indicators associated with these tracked Chinese groups into their workflows, utilizing threat intelligence feeds to detect patterns related to previously attributed zero-days. The doubling of this activity in 2025 makes proactive monitoring a top priority according to the report.
The GTIG report shifts the defensive center of gravity from the individual endpoint to the broader corporate infrastructure. In 2026, as attackers adopt AI, exploit timelines will compress. For modern organizations, total visibility across edge devices and enterprise operating systems is no longer a best practice—it is a requirement for survival.
For the CISO, the question is no longer whether to invest in infrastructure telemetry, but whether to do so before the disclosure-to-exploit window disappears entirely. In 2026, when AI streamlines every phase of the offensive chain, there will be no room for a delayed response.
Information has been verified against cited sources and is current as of the date of publication.