Google says half of the zero days it tracked in 2025 targeted buggy enterprise technology

A new report from Google found that about half of the zero-day bugs it tracked last year exploited enterprise devices, marking a new high for hackers who are increasingly finding new ways to target large companies and steal their data.

According to the research and security giant’s annual report, 48% of zero-day zero-day vulnerabilities — software vulnerabilities unknown to their maker at the time of exploitation — are found in technologies used by enterprises and large enterprises. About half of those zero days exploited the same devices designed to protect enterprise networks from digital hackers.

Security and networking hardware, such as firewalls made by Cisco and Fortinet, virtual private networks (VPNs) and virtualization platforms such as Ivanti and VMware, were among the biggest vendors targeted last year, Google said. All four companies said hackers had exploited their products on customers’ networks in recent months.

Google researchers said hackers exploited common flaws, such as input validation and incomplete authorization processes, to penetrate firewall and VPN defenses to gain access to customers’ networks. These categories of errors are usually easier to exploit, but usually require a software update to fix.

The company also pointed to other buggy software that makes up the remaining half of the organization’s zero days. Google noted the Clop extortion ring’s campaign against Oracle E-Business Suite customers, which allowed hackers to walk away with large amounts of HR data from dozens of companies about their employees and executives. The hacks affected Harvard University, American Airlines’ Envoy, the Washington Post, and others.

The remaining 52% of zero-day bugs were found in consumer and end-user products, such as those made by Microsoft, Google and Apple, according to the report. Most zero days in consumer software are found in operating systems, and mobile devices have also seen a greater number of zero days than in previous years.

Google said it also attributed the number of zero days more to surveillance vendors than to traditional government-backed spy groups. Surveillance service vendors are typically spyware makers and exploit developers, who work on behalf of governments to hack into people’s phones. Google said the shift showed “slow but sure movement in the landscape” in how governments seek access to hacking tools.