Enterprise Software Under Fire: Zero-Day Exploits Rise 15%, New Threat Report Warns

Aegiron 8 mins0

Overview

A report released on March 5, 2026 by the Google Threat Intelligence Group (GTIG) provides insight into how zero-day vulnerabilities were exploited during 2025. The findings suggest a noticeable shift in attacker behavior. Instead of focusing mostly on consumer software, threat actors are increasingly targeting enterprise technologies and corporate infrastructure. These systems often provide broader access to networks, making them highly valuable targets for attackers.

Key Statistics from the Report

According to the report, 90 zero-day vulnerabilities were exploited in real-world attacks in 2025. This is slightly lower than the 98 cases reported in 2024, but the pattern of exploitation has changed.

One of the most important observations is the 15 percent increase in attacks targeting enterprise software. This indicates that attackers are prioritizing corporate environments and large-scale systems rather than focusing only on individual user devices. Enterprise platforms often support thousands of users and critical operations, which makes them more attractive from an attacker’s perspective.

Shift Toward Enterprise Infrastructure

The report highlights that attackers are increasingly focusing on systems that sit at the edge of corporate networks. These include technologies such as firewalls, VPN gateways, and remote access services that connect internal networks to the internet.

If attackers successfully exploit a vulnerability in one of these systems, they may gain an entry point into the organization’s network. From there, they can attempt to move laterally, escalate privileges, and access sensitive systems or data. Because these edge devices are exposed to the internet and sometimes lack deep monitoring, they have become one of the most common initial attack points.

Most Common Vulnerability Categories

GTIG found that several types of vulnerabilities appeared frequently in the zero-day exploits observed during 2025.

Memory corruption vulnerabilities remained the most common category. These flaws allow attackers to manipulate system memory in ways that can lead to remote code execution. Examples include buffer overflows and use-after-free bugs, which are often found in complex software environments.

Another common category involved privilege escalation vulnerabilities, which enable attackers to gain higher levels of access once they are already inside a system. This can allow them to move from a limited user account to full administrative control.

The report also noted cases of authentication bypass vulnerabilities, especially in enterprise security appliances. These flaws allow attackers to bypass login mechanisms entirely and access systems without valid credentials.

Role of State-Sponsored Actors

A significant portion of the zero-day exploitation activity observed in the report is linked to state-sponsored threat groups. These actors typically conduct cyber operations for strategic purposes, including intelligence gathering and surveillance.

Such groups often target government networks, defense organizations, technology companies, and critical infrastructure. Their operations are usually designed for long-term access rather than immediate disruption or financial gain.

Exploit Acquisition and Ecosystem

The report also describes the broader ecosystem around zero-day vulnerabilities. Discovering these flaws requires advanced research and specialized expertise, which makes them highly valuable.

Zero-day exploits can originate from several sources, including internal research teams, independent security researchers, or specialized exploit vendors. In some cases, exploit capabilities are traded through private markets or underground communities, which can make them accessible to cybercriminal groups as well.

Attack Lifecycle for Zero-Day Exploitation

GTIG outlines a typical sequence of events that attackers follow when using a zero-day vulnerability.

The process usually begins with discovering or acquiring the vulnerability. Once the flaw is identified, attackers develop an exploit that allows them to take advantage of the weakness.

After the exploit is ready, attackers attempt to compromise an internet-facing system. If successful, they often work to establish persistence within the network, escalate their privileges, and move laterally to other systems. Eventually, this can lead to data theft, surveillance, or long-term network access.

Defensive Measures Recommended

The report emphasizes that organizations should prioritize security for internet-facing infrastructure. Applying patches quickly is one of the most effective ways to reduce the risk of exploitation.

Organizations are also encouraged to strengthen monitoring capabilities so they can detect unusual authentication activity or suspicious administrative behavior. Continuous vulnerability scanning and proactive threat detection can help identify weaknesses before attackers exploit them.

Another key recommendation is improving network segmentation, which helps limit how far attackers can move within a network after an initial compromise.

Strategic Implications

The findings suggest that cyber threats are evolving toward more strategic and high-impact targets. By exploiting vulnerabilities in enterprise infrastructure, attackers can gain access to large networks and critical systems with a single successful exploit.

As businesses continue to adopt cloud services, remote access technologies, and complex digital environments, the attack surface available to threat actors continues to grow. The report indicates that enterprise-focused zero-day attacks will likely remain an important challenge for cybersecurity teams in the coming years.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.