NextFin News - The global cybersecurity landscape reached a critical inflection point in 2025 as commercial surveillance vendors (CSVs) officially surpassed traditional state-sponsored espionage groups in the exploitation of zero-day vulnerabilities. According to the annual review released today by the Google Threat Intelligence Group, 90 zero-day vulnerabilities were disclosed and exploited last year, a steady climb from 78 in 2024. More strikingly, enterprise technologies—the backbone of corporate and government infrastructure—accounted for 48% of these attacks, the highest share ever recorded by the search giant.
The rise of the "exploit-as-a-service" economy has fundamentally altered the risk profile for the private sector. For the first time since Google began tracking these metrics, private-sector firms selling high-end spyware to government clients were responsible for more attributed zero-day exploitations than the intelligence agencies of major nation-states. This shift suggests that the barrier to entry for sophisticated cyber operations has collapsed; any regime with a sufficient budget can now purchase capabilities that were once the exclusive domain of a handful of global superpowers. While traditional state actors like those linked to the People’s Republic of China remain the most prolific individual users of zero-days, the collective volume of the commercial market now dictates the pace of the threat environment.
Enterprise infrastructure has become the primary theater of war because it offers what researchers call "privileged access." Unlike consumer devices, which are often patched automatically, the networking gear, security appliances, and edge devices that sit at the perimeter of corporate networks are notoriously difficult to monitor. Google identified 43 zero-days targeting enterprise software in 2025, with nearly half of those affecting security and networking products like routers and switches. These devices often lack the endpoint detection and response (EDR) tools that protect laptops and servers, creating a "blind spot" that allows attackers to maintain persistence within a network for months before being detected.
The financial sector and large-scale enterprises are facing a pincer movement from both state-backed spies and financially motivated extortionists. The report highlighted a significant campaign involving the Oracle E-Business Suite, linked to threat actors associated with the CL0P extortion brand. In this instance, exploitation began as early as August 2025, weeks before a patch was available, following suspicious activity that dated back to July. This overlap between high-end zero-day usage and traditional cybercrime underscores a growing sophistication among ransomware groups, who are increasingly willing to invest in expensive, unpatched flaws to secure multi-million dollar payouts.
A more ominous trend identified in the review is the shift toward "upstream" compromise. The BRICKSTORM malware campaign in 2025 demonstrated how attackers are now targeting the source code and proprietary development documents of technology vendors themselves. By stealing the blueprints of software before it is even released, adversaries can identify and develop a pipeline of zero-day vulnerabilities for future use. This creates a cascading risk for downstream customers who rely on the integrity of their software supply chain. U.S. President Trump’s administration has faced increasing pressure to address these supply chain vulnerabilities, particularly as the speed of exploitation continues to accelerate.
The integration of artificial intelligence into the attacker’s toolkit is further compressing the window for defense. Data from CrowdStrike indicates that the average "breakout time"—the interval it takes for an attacker to move from an initial breach to other parts of a network—fell to just 29 minutes in 2025. In the most extreme cases, this happened in under 30 seconds. As AI-driven tools automate the discovery of vulnerabilities and the generation of exploit code, the traditional cycle of "patch and protect" is becoming obsolete. Organizations are now forced to move toward agentic security tools that can identify and neutralize threats in real-time, as the human-led response is simply too slow to counter the current velocity of commercialized cyber warfare.
Explore more exclusive insights at nextfin.ai.
