Ethical Hacking News
State-sponsored espionage groups have reached an all-time high in exploiting vulnerabilities in enterprise software and appliances, with China-linked cyber-espionage groups dominating the list of attackers. As organizations continue to rely on cloud computing and SaaS solutions, they must prioritize vigilance against this growing threat.
The number of zero-day exploits targeting enterprise tech products reached an all-time high in 2025, with China-linked cyber-espionage groups being the most prolific state-backed users. 43 out of 90 tracked zero-days in 2025 targeted enterprise software and appliances, representing a significant increase from the previous year. The majority of these attacks (21) targeted security and networking devices, while edge devices like routers and switches were also affected by 14 enterprise tech zero-days. China-linked groups were responsible for more traditional state-sponsored espionage group zero-day exploits than Commercial Surveillance Vendors (CSVs), which are private companies developing spyware and exploits. The most prolific CSVs were not named by Google due to concerns about sharing specific information that could compromise their methods. Government-linked spies, particularly those linked to China, took the lead in exploiting enterprise-tech zero-days, with PRC-nexus espionage groups responsible for the largest number of attacks. Microsoft saw the most total zero-days exploited last year, highlighting the ever-evolving nature of cyber warfare where nation-state actors adapt their tactics to stay ahead of security measures.
Google's Threat Intelligence Group has revealed that zero-day exploitation targeting enterprise tech products reached an all-time high last year, with China-linked cyber-espionage groups remaining the most prolific state-backed users. This development marks a significant shift in the tactics, techniques, and procedures (TTPs) employed by nation-state actors, as they increasingly focus on exploiting vulnerabilities in enterprise software and appliances.
According to Google's GTIG, 43 zero-days in enterprise software and appliances were tracked in 2025, representing 48% of all attacks against these previously undisclosed bugs. This represents a significant increase from the previous year, when 36 zero-days (46%) were recorded. The total number of zero-day vulnerabilities actively exploited last year was 90, which is more than the 78 documented in 2024 but still short of the record high of 100 seen in 2023.
The majority of these enterprise-related zero-days targeted security and networking devices, comprising nearly half (21) of the total. Edge devices, such as routers, switches, and gateways, were also affected by 14 enterprise tech zero-days in 2025, but Google noted that this figure likely underrepresents the true scale of activity due to inhibited detection capabilities.
Many of these attacks appear to be espionage-related, with China-linked groups being the biggest offenders. Google's cyber threat intelligence analyst, James Sadowski, stated that "Of the exploitation we were able to attribute, we identified a higher proportion of traditional state-sponsored espionage groups compared to CSVs or cybercrime groups." This is noteworthy because in 2025, for the first time since they started tracking zero-day exploits, Google's threat intel group attributed more zero-days to Commercial Surveillance Vendors (CSVs) than to traditional government-backed cyber snoops.
CSVs are private companies that develop and sell spyware and exploits, ostensibly to government agencies and law enforcement for legal intelligence gathering and crime-fighting assistance. However, these entities have been found to be involved in the exploitation of zero-days on devices belonging to journalists, protesters, and political opposition leaders.
The most prolific CSVs were not named by Google, citing concerns about sharing specific information that could compromise their methods. Nevertheless, it is clear that these vendors are playing a significant role in the escalating threat landscape, particularly when it comes to enterprise tech exploitation.
In contrast, government-linked spies took the lead in exploiting enterprise-tech zero-days, with PRC-nexus espionage groups responsible for the largest number of attacks. These groups' focus on edge device exploitation and broader security and networking devices has made them a significant concern for organizations that rely on these products.
The majority of these enterprise-related zero-days were attributed to traditional state-sponsored espionage groups, including those linked to China. The targeting of technology companies in campaigns such as Brickstorm demonstrated the potential theft of valuable intellectual property (IP) to further the development of zero-day exploits.
Microsoft saw the most total zero-days exploited last year, with Google and Apple rounding out the top three. This trend highlights the ever-evolving nature of cyber warfare, where nation-state actors continually adapt their tactics to stay ahead of security measures.
The rise of state-sponsored exploitation of enterprise tech zero-days serves as a stark reminder of the evolving threat landscape in the digital realm. As organizations continue to invest heavily in cloud computing and software-as-a-service (SaaS) solutions, they must also prioritize vigilance against this growing threat.
In light of these findings, CISOs and security teams must remain vigilant and proactive in monitoring their systems for signs of zero-day exploitation. Implementing robust security protocols, keeping software up to date, and engaging with reputable threat intelligence sources can help organizations stay ahead of the evolving threat landscape.
As the nature of cyber warfare continues to evolve, one thing is clear: state-sponsored exploitation of enterprise tech zero-days has become a major concern for organizations worldwide. It is imperative that these entities prioritize their cybersecurity posture and remain informed about emerging threats in order to protect themselves against these growing attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/State-Sponsored-Exploitation-of-Enterprise-Tech-Zero-Days-on-the-Rise-A-New-Normal-for-Cyber-Warfare-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/03/05/zero_day_attacks_enterprise_tech_record/
https://www.theregister.com/2026/03/05/zero_day_attacks_enterprise_tech_record/
https://x.com/TheRegister/status/2029707431257985140
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://security.muni.cz/en/articles/hacker-elites-how-the-most-dangerous-apt-groups-operate
Published: Thu Mar 5 19:19:12 2026 by llama3.2 3B Q4_K_M
