What happened
Google’s Threat Intelligence Group (GTIG) reported a total of 75 zero-day vulnerabilities exploited during 2024. While this figure marks a decline from 98 in 2023, it's still a notable increase from 63 in 2022. The report, shared with The Hacker News, highlights a strategic shift in targeting, with enterprise products now bearing the brunt of zero-day attacks.
Of these vulnerabilities, 44% were aimed at enterprise systems, and 20 zero-days were found in security and network appliances—a category increasingly attractive to threat actors due to their elevated privileges and central role in managing organizational infrastructure.
Going deeper
While the overall number of zero-day exploits fell, Google’s data paints a complex picture:
- Enterprise attack surface expands: The number of unique enterprise vendors targeted rose to 18 in 2024, up from 12 in 2021. Microsoft was the most targeted company with 26 zero-day vulnerabilities, followed by Google, Ivanti, and Apple.
- Security software in the crosshairs: Products from Ivanti, Palo Alto Networks, and Cisco were frequently targeted. GTIG analysts noted these tools often have broad network access, making them high-value entry points.
- Notably, three Android zero-days stemmed from third-party components, emphasizing the risks in open-source and modular systems.
- Exploit chains and mobile devices: Though browser and mobile device exploitation dropped significantly—by a third and half, respectively—nearly 90% of zero-day exploit chains still targeted mobile platforms.
Real-world attacks
In November 2024, Google discovered a malicious JavaScript inject on Ukraine’s Diplomatic Academy website, which exploited CVE-2024-44308 and chained it with CVE-2024-44309 to steal cookies and gain unauthorized access to Microsoft accounts.
A separate exploit chain involving Firefox and Tor browsers—using CVE-2024-9680 and CVE-2024-49039—enabled attackers to escape the browser sandbox and deploy the RomCom RAT. Google attributed this to RomCom (aka Storm-0978/CIGAR), a threat actor known for both espionage and financial attacks.
Evolving trends
GTIG’s Casey Charrier noted that while exploitation of traditionally popular targets has declined, thanks to better vendor defenses, threat actors are shifting toward enterprise environments where vulnerabilities are harder to monitor across a wider array of vendors.
What was said
GTIG researchers emphasized the growing appeal of enterprise infrastructure to attackers, stating “Security and network tools and devices are designed to connect widespread systems and devices with high permissions required to manage the products and their services, making them highly valuable targets for threat actors seeking efficient access into enterprise networks.”
On the evolving landscape of zero-day exploitation, GTIG Senior Analyst Casey Charrier highlighted a turning point: “Zero-day exploitation continues to grow at a slow but steady pace. However, we've also started seeing vendors' work to mitigate zero-day exploitation start to pay off.”
“For instance, we have observed fewer instances of zero-day exploitation targeting products that have been historically popular, likely due to efforts and resources many large vendors have invested in order to prevent exploitation.”
Charrier warned that the battle is far from over: “We’re seeing zero-day exploitation shift towards the increased targeting of enterprise-focused products, which requires a wider and more diverse set of vendors to increase proactive security measures. The future of zero-day exploitation will ultimately be dictated by vendors' decisions and ability to counter threat actors' objectives and pursuits.”
By the numbers
Here’s a breakdown of the key statistics that highlight where attackers are focusing their efforts—and how those targets have evolved:
- 75 zero-day vulnerabilities exploited in 2024
- Decrease from 98 in 2023
- Increase from 63 in 2022
- 44% of 2024 zero-days targeted enterprise products
- 20 zero-days found in security and network appliances
- 18 unique enterprise vendors were targeted compared to:
- 12 in 2021
- 17 in 2022
- 22 in 2023
- Most targeted companies:
- Microsoft: 26
- Google: 11
- Ivanti: 7
- Apple: 5
- Exploits by platform:
- Microsoft Windows: 22
- Chrome: 7
- Android: 7 (3 in third-party components)
- Safari: 3
- iOS: 2
- Firefox: 1
- Mobile and browser exploit chains:
- Browser zero-days decreased by ~33%
- Mobile zero-days decreased by ~50%
- ~90% of exploit chains still targeted mobile devices
- Threat attribution (34 of 75 exploits):
- State-sponsored espionage: 10
- China: 5
- Russia: 1
- South Korea: 1
- Commercial surveillance vendors: 8
- Financially motivated non-state groups: 5
- North Korean hybrid groups: 5
- Russian financial/espionage groups: 2
Why it matters: A call for broader vendor vigilance
Despite the overall decline in zero-day exploitation, Google emphasized that the threat landscape is evolving rather than shrinking.
“Zero-day exploitation continues to grow at a slow but steady pace,” said Casey Charrier, Senior Analyst at GTIG. “We’ve observed a reduction in attacks on historically popular targets, likely due to significant mitigation efforts by large vendors. However, the focus has shifted to enterprise products, which increases the number of potential weak points.”
With 18 enterprise vendors targeted in 2024—up from 12 in 2021—Google stressed the need for a wider set of companies to step up their defensive efforts.
“The future of zero-day exploitation,” Charrier concluded, “will ultimately be dictated by vendors’ decisions and ability to counter threat actors' evolving objectives.”
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQS
What is a zero-day vulnerability?
A zero-day vulnerability is a software flaw that is exploited by attackers before the software vendor becomes aware of it and has a chance to issue a patch. These vulnerabilities are especially dangerous because there is no fix available when the attack occurs.
Why are zero-days so valuable to attackers?
Zero-days allow attackers to gain unauthorized access, execute malicious code, or exfiltrate data without being detected, making them highly prized by cybercriminals, state-sponsored hackers, and surveillance vendors.
How can organizations protect themselves?
- Stay up-to-date with security patches
- Use threat intelligence to monitor for emerging threats
- Segment networks and enforce least-privilege access
- Invest in advanced detection and response tools
Tshedimoso Makhene
