Google’s Threat Intelligence Group (GTIG) reported a total of 75 zero-day vulnerabilities exploited during 2024. While this figure marks a decline from 98 in 2023, it's still a notable increase from 63 in 2022. The report, shared with The Hacker News, highlights a strategic shift in targeting, with enterprise products now bearing the brunt of zero-day attacks.
Of these vulnerabilities, 44% were aimed at enterprise systems, and 20 zero-days were found in security and network appliances—a category increasingly attractive to threat actors due to their elevated privileges and central role in managing organizational infrastructure.
While the overall number of zero-day exploits fell, Google’s data paints a complex picture:
In November 2024, Google discovered a malicious JavaScript inject on Ukraine’s Diplomatic Academy website, which exploited CVE-2024-44308 and chained it with CVE-2024-44309 to steal cookies and gain unauthorized access to Microsoft accounts.
A separate exploit chain involving Firefox and Tor browsers—using CVE-2024-9680 and CVE-2024-49039—enabled attackers to escape the browser sandbox and deploy the RomCom RAT. Google attributed this to RomCom (aka Storm-0978/CIGAR), a threat actor known for both espionage and financial attacks.
GTIG’s Casey Charrier noted that while exploitation of traditionally popular targets has declined, thanks to better vendor defenses, threat actors are shifting toward enterprise environments where vulnerabilities are harder to monitor across a wider array of vendors.
GTIG researchers emphasized the growing appeal of enterprise infrastructure to attackers, stating “Security and network tools and devices are designed to connect widespread systems and devices with high permissions required to manage the products and their services, making them highly valuable targets for threat actors seeking efficient access into enterprise networks.”
On the evolving landscape of zero-day exploitation, GTIG Senior Analyst Casey Charrier highlighted a turning point: “Zero-day exploitation continues to grow at a slow but steady pace. However, we've also started seeing vendors' work to mitigate zero-day exploitation start to pay off.”
“For instance, we have observed fewer instances of zero-day exploitation targeting products that have been historically popular, likely due to efforts and resources many large vendors have invested in order to prevent exploitation.”
Charrier warned that the battle is far from over: “We’re seeing zero-day exploitation shift towards the increased targeting of enterprise-focused products, which requires a wider and more diverse set of vendors to increase proactive security measures. The future of zero-day exploitation will ultimately be dictated by vendors' decisions and ability to counter threat actors' objectives and pursuits.”
Here’s a breakdown of the key statistics that highlight where attackers are focusing their efforts—and how those targets have evolved:
Despite the overall decline in zero-day exploitation, Google emphasized that the threat landscape is evolving rather than shrinking.
“Zero-day exploitation continues to grow at a slow but steady pace,” said Casey Charrier, Senior Analyst at GTIG. “We’ve observed a reduction in attacks on historically popular targets, likely due to significant mitigation efforts by large vendors. However, the focus has shifted to enterprise products, which increases the number of potential weak points.”
With 18 enterprise vendors targeted in 2024—up from 12 in 2021—Google stressed the need for a wider set of companies to step up their defensive efforts.
“The future of zero-day exploitation,” Charrier concluded, “will ultimately be dictated by vendors’ decisions and ability to counter threat actors' evolving objectives.”
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
A zero-day vulnerability is a software flaw that is exploited by attackers before the software vendor becomes aware of it and has a chance to issue a patch. These vulnerabilities are especially dangerous because there is no fix available when the attack occurs.
Zero-days allow attackers to gain unauthorized access, execute malicious code, or exfiltrate data without being detected, making them highly prized by cybercriminals, state-sponsored hackers, and surveillance vendors.