Google exposes China-linked spies using 0‑day spyware in massive abuse campaign.

Google’s Threat Intelligence Group (GTIG) logged 90 zero‑day vulnerabilities exploited in 2025, with 43 targeting enterprise software and appliances – a 19 % rise over 2024 and accounting for 48 % of all disclosed attacks, according to the firm’s report cited by The Register. The spike marks the highest level of enterprise‑focused zero‑day abuse since GTIG began tracking the metric, and it underscores a shift away from consumer‑grade exploits that dominated prior years. Security‑and‑networking devices were the most frequently compromised category, representing nearly half of the enterprise‑related zero‑days (21 instances). Edge infrastructure such as routers, switches and gateways accounted for 14 of those attacks, a figure GTIG believes under‑represents the true scale because many such devices lack endpoint‑security controls, making detection difficult.

State‑backed espionage groups remain the primary drivers of the enterprise‑focused campaign, with China‑linked actors responsible for the majority of attributed attacks. Of the 42 zero‑days GTIG could tie to a specific threat actor type, 12 were linked to traditional state‑sponsored espionage groups, seven of which were traced to Chinese entities. An additional three exploits were attributed to “likely” government spies, also tied to China, according to analyst James Sadowski. The report notes that espionage motives dominate the enterprise abuse landscape, reinforcing the view that nation‑state actors are leveraging zero‑day tools to infiltrate large organisations and harvest strategic intelligence.

For the first time since GTIG began its tracking, commercial surveillance vendors (CSVs) eclipsed traditional government‑backed groups in the number of zero‑days they exploited. Fifteen zero‑days were directly linked to CSVs such as NSO Group, Intellexa and Candiru, with three more classified as “likely CSVs,” according to GTIG data. CSVs develop and sell spyware and exploit kits to law‑enforcement and intelligence agencies, but the tools are frequently repurposed against journalists, activists and political opponents. Google’s security engineer Clement Lecigne declined to name the most prolific CSVs for 2025, citing operational constraints, but confirmed that a “variety of these vendors” continued to weaponise zero‑day flaws in their products.

Financially motivated cyber‑criminals also contributed to the 2025 zero‑day tally, accounting for nine exploits, while a single incident involved a hybrid actor combining espionage and criminal motives. The remaining 30 zero‑days could not be definitively attributed, reflecting the difficulty of tracing sophisticated exploits in complex supply chains. GTIG’s findings suggest that, despite heightened scrutiny of the spyware market and recent high‑profile prosecutions – such as the seven‑year sentence handed to a former L3Harris executive for selling exploits to Russia – the commercial surveillance industry remains robust and continues to fuel the broader zero‑day ecosystem.

The surge in enterprise‑targeted zero‑days has prompted warnings from intelligence alliances. The Five Eyes community has specifically urged organisations to patch Cisco’s SD‑WAN stack, citing a newly disclosed vulnerability that could enable full‑system takeover if left unaddressed. Google’s report underscores the urgency of rapid patch management, especially for edge devices that often sit outside traditional security perimeters. As zero‑day abuse climbs to record levels, the convergence of state‑backed espionage, commercial spyware vendors and opportunistic cyber‑criminals signals a widening attack surface that will likely pressure both vendors and defenders to accelerate vulnerability disclosure and remediation processes.