Zero-Day Attacks Shift Focus to Enterprise Targets: Google's Latest Security Insights

Google’s security team has released its annual report on zero-day vulnerabilities, revealing a subtle yet significant shift in cybercriminal strategies. While smartphones and web browsers remain common targets, attackers are increasingly focusing on enterprise technologies, particularly security and network infrastructure. The analysis provides a nuanced view of who’s exploiting these vulnerabilities, how they’re doing it, and which platforms are being hit the hardest.

Zero-day vulnerabilities—flaws discovered and exploited before a patch is available—have long been a weapon of choice for espionage and cybercrime groups. This year, Google identified 75 such exploits, a slight dip from 98 in 2023, but still above 2022’s 63 and vastly higher than the 31 detected in both 2019 and 2020.

Government-sponsored actors and spyware clients dominate the zero-day threat landscape. Notably, China and North Korea each exploited five zero-day vulnerabilities in 2024, while commercial surveillance clients used eight. These figures signal a growing sophistication and resource allocation toward cyber espionage by nation-states and private surveillance entities.

Interestingly, attacks targeting end-user technologies like browsers and smartphones are becoming less effective. Google notes a decline in successful zero-day exploits against these platforms, with mobile attacks dropping by half and browser-targeted exploits down by a third compared to last year. Chrome remains the most targeted browser due to its widespread use.

Enterprise technology, however, is seeing a surge in attacks. Zero-day exploits targeting enterprise platforms accounted for 44% of the total this year, up from just under 37% in 2023. Security and networking products were particularly hit, comprising 60% of all enterprise-focused attacks.

The reduction in end-user targeting may be partially attributed to better defenses and quicker patching by vendors. But cybercriminals are adapting. Sophisticated spyware attacks now chain multiple vulnerabilities together to bypass mobile device protections.

Google warns that the lines between enterprise and end-user tech are blurring, especially as many consumer technologies are also deployed in corporate environments. As such, securing enterprise tools becomes even more critical.

Despite improved detection and vendor response, the upward trend in exploit sophistication continues. Google’s findings stress the importance of patching quickly, practicing cyber hygiene, and being cautious with unfamiliar files and links. Defensive measures like heuristic analysis in antivirus software also help block novel threats, including zero-days.

What Undercode Say:

Zero-day exploits are not a new phenomenon, but the evolution in their deployment paints a concerning picture for the cybersecurity community. Undercode observes several critical dynamics in Google’s analysis that deserve deeper attention:

Enterprise Tech Becomes a Primary Battleground: Attackers are moving from individual targets to enterprise systems. This shift is logical: larger attack surfaces, more valuable data, and often slower patch cycles make enterprise tools ideal for zero-day deployment.
State Actors Continue to Dominate: China and North Korea matching each other in zero-day usage isn’t just a statistic—it’s a signal. The cyber cold war continues to escalate, and this parity suggests increasing capabilities across adversarial nations.
Spyware is No Longer Niche: The fact that spyware vendors and their clients are behind a significant portion of these attacks suggests a booming commercial market for zero-day exploits. It’s no longer just about governments—private actors with budgets can now access military-grade vulnerabilities.
Decline in Browser/Mobile Attacks is Misleading: While stats show a drop, that doesn’t equate to safety. Attackers are choosing more complex, profitable vectors, not abandoning consumer tech altogether. As Google notes, phones and browsers remain attractive due to their ubiquity.
Enterprise Toolchain Weaknesses Are Mounting: The reliance on networking and security appliances in modern enterprise architecture creates a single point of failure. Attackers know this—and are betting on it.
Software Vendors Are Finally Stepping Up: The reduced impact of zero-days on end-user tech might be the result of more aggressive bug bounty programs, improved sandboxing, and a stronger culture of rapid patching. This is a welcome trend—but it must be sustained.
Security by Design is Still Lacking: Enterprise products often sacrifice security for speed or compatibility. Until manufacturers prioritize secure development lifecycle practices, attackers will continue to find zero-day goldmines in corporate infrastructure.
Detection is Improving, But Slowly: Google’s ability to detect and attribute these attacks shows that the gap between exploit and discovery is narrowing—but it’s still reactive, not proactive.
Complexity is the New Attack Vector: Exploits now often involve chained vulnerabilities across multiple systems. This adds sophistication to attacks and makes them harder to prevent or even analyze in real time.
Blurred Lines Between Consumer and Enterprise Risks: The convergence of consumer-grade devices and enterprise usage environments creates a hybrid threat model. BYOD (bring your own device) policies and cloud-first strategies mean one vulnerability can span both personal and professional domains.
Zero-Days Are Increasingly Sold, Not Just Used: Many of the zero-days used by commercial surveillance actors are likely purchased from brokers. This marketplace creates a dangerous loop where vulnerabilities stay in circulation longer.
Heuristic Defense Plays a Bigger Role: Signature-based antivirus is outdated for zero-days. Behavior-based and AI-driven anomaly detection are better suited, but adoption in enterprise environments is still lagging.
Patch Speed is Still Critical: Even if a zero-day is exploited before discovery, the speed of patch rollout after disclosure is vital. Enterprises need faster patching pipelines and fewer dependencies that delay updates.
Threat Intelligence Sharing Needs Expansion: One of the reasons why threat actors succeed is siloed intelligence. A broader, cross-industry collaboration model is necessary to detect and neutralize threats quickly.
Cybercrime-Linked Nations Use Plausible Deniability: The intertwining of cybercrime groups with state entities—especially in Russia—suggests a strategy where governments benefit without direct accountability.
The Surface is Shrinking, but the Depth is Expanding: While the number of exploits fell, the severity and impact potential of each seems to be growing. Attackers are going deeper rather than wider.
Cloud Services Could Be the Next Hotbed: As enterprises migrate more services to the cloud, expect zero-day attacks to follow. Misconfigured APIs, insecure containers, and overlooked authentication mechanisms are likely future entry points.
User Vigilance is Still a Frontline Defense: Even against zero-days, awareness and caution—especially with email and downloads—can stop exploitation at the social engineering level.
Zero-Day Monetization is Evolving: Beyond espionage, attackers now profit through ransomware-as-a-service and extortion campaigns that leverage these exploits with precision targeting.
Security Should Be Seen as a Business Continuity Measure: Treating cybersecurity as optional or a budget drain is no longer viable. Enterprises must invest in layered defenses, red-teaming, and continuous security assessments.

Fact Checker Results:

Confirmed: The total number of zero-days tracked by Google in 2024 is 75, down from 98 in 2023.
Verified: Mobile zero-day attacks dropped by 50%, while browser-based attacks declined by 33%.
Verified: Chinese and North Korean threat actors each exploited five zero-day vulnerabilities.

Prediction:

Given the current trajectory, 2025 will likely see zero-day attackers pivot even more aggressively toward cloud-native enterprise platforms and third-party software integrations. The use of AI-assisted vulnerability discovery by both attackers and defenders will create an escalating arms race. Expect a new wave of zero-days targeting supply chains, authentication layers, and cross-tenant cloud isolation failures. Additionally, nation-state actors will likely increase covert usage of zero-days in election interference campaigns and geopolitical espionage, especially with upcoming global elections.