My coffee wasn’t even cold after writing about the Tycoon 2FA PhaaS takedown and what it means for the state of offensive infrastructure, and then Google’s Threat Intelligence Group drops the 2025 zero-day review and I nearly choked. Ninety. Ninety zero-days exploited in the wild last year. That’s not the number that should make you feel sick, though. The number that should make you feel sick is forty-three — the count of those ninety that hit enterprise technology specifically. That’s 48 percent of all zero-day exploitation last year aimed directly at the gear your organization runs to stay alive: your VPNs, your management platforms, your virtualization stacks, your network edge. An all-time record. Well. Great. How’s that perimeter security posture holding up?

What the GTIG Report Actually Says

Per Google’s Threat Intelligence Group report published March 4–5, 2026, and covered by The Register, Security Affairs, and Cybersecurity Dive, researchers tracked 90 zero-day vulnerabilities exploited in the wild throughout 2025. That’s up from 78 in 2024, and while it’s a touch below the 2023 peak of roughly 100, the trajectory is clear: this number trends up over time, and the character of the exploitation is changing in ways that should make everyone with an enterprise network extremely uncomfortable.

The headline statistic: 43 of those 90 zero-days — 48 percent — targeted enterprise-grade technology. Networking and security devices. VPN appliances. Management platforms. Virtualization infrastructure. Edge devices. Security appliances. The exact things you buy specifically to protect your environment. Cisco, Fortinet, Ivanti, VMware — household names in the enterprise security stack — feature prominently as targets. Not because these companies are uniquely incompetent, but because compromising a VPN concentrator or a network management platform gives you the keys to everything behind it, and because these devices often run without the endpoint detection and response tooling that would catch an intruder quickly.

China-nexus espionage groups remain the most prolific state-sponsored actors, accounting for at least 10 attributed zero-days in 2025. That’s double their 2024 count. Per GTIG’s Chief Analyst John Hultquist, quoted in Cybersecurity Dive: “They have a significant zero-day development ecosystem that includes industry, academia, and government.” One particularly nasty example: UNC3886 — a China-nexus group — exploited an improper isolation flaw in Juniper MX routers tracked as CVE-2025-21590. Routers. The devices that literally carry every packet your organization sends and receives. That’s not targeted espionage. That’s pre-positioning.

But here’s the plot twist that genuinely surprised me: commercial surveillance vendors (CSVs) — the Intellexas and NSO-adjacent outfits of the world — actually surpassed state-sponsored groups as the most active users of zero-day exploits in 2025. For the first time. Out of 42 attributed zero-days, CSVs were behind 15, versus 12 for state-linked groups. These vendors build and sell exploit chains to government clients — and those clients are using them against journalists, lawyers, dissidents, executives, and political opponents. The Cisco SD-WAN mass exploitation landing in the same news cycle as this report is not a coincidence — it’s the pattern made visible.

GTIG also flagged a trend I’ve been watching: AI-assisted vulnerability discovery and exploit development is coming, and it’s coming faster than most organizations are prepared for. In 2026 and beyond, the report warns, AI will be leveraged to speed reconnaissance, discover new vulnerabilities, and develop functional exploits. The window between “vulnerability patched” and “fully weaponized exploit available to any criminal with a Telegram subscription” — already at hours in some cases — gets shorter.

Why It Matters Beyond the Numbers

Let me explain who actually gets hurt when enterprise zero-days get weaponized at this scale and I don’t mean in the abstract “organizations face risk” framing. Edge device compromises — Cisco, Fortinet, Ivanti — were used by nation-state groups to establish persistent footholds in critical infrastructure. Power grids. Water systems. Healthcare networks. Financial clearing infrastructure. The intrusions aren’t always about stealing data immediately. Sometimes they’re about being there — quietly, invisibly — so that when geopolitical tensions spike, someone can flip a switch.

As I wrote in my piece on why a Cyber 9/11 remains closer than anyone admits, the pre-positioning of nation-state actors in critical infrastructure has been documented for years, and the response from the organizations running that infrastructure has been, charitably, inconsistent. Forty-three enterprise zero-days in a single calendar year is not a blip. It’s a sustained campaign against the nervous system of the global economy.

The AI acceleration angle isn’t theoretical either. The IBM X-Force 2026 Threat Intelligence report I covered earlier this year laid out the same thesis in brutal terms: AI doesn’t change the fundamentals of what attackers want, but it shrinks every timeline — reconnaissance, weaponization, lateral movement, exfiltration. Defenders who are still operating on quarterly patch cycles and annual pen tests are going to get eaten alive.

What Went Wrong — and What’s Still Going Wrong

Enterprise technology gets targeted for a specific structural reason that the vendor community has been slow to confront: these devices often run without the visibility tooling that would catch attackers in the act. Your laptop has an EDR agent. Your server has a SIEM sending logs somewhere. Your Cisco SD-WAN concentrator, your Ivanti gateway, your Fortinet firewall? In a huge percentage of deployments, there’s no EDR on the box — the vendor doesn’t support it, the architecture doesn’t allow it, or nobody thought to instrument it because hey, it’s the firewall, it’s supposed to be the defense not the attack surface.

Attackers know this. That’s not speculation, it’s documented in the GTIG report. “Edge devices typically lack endpoint detection and response capabilities, making intrusions harder to detect.” So the attackers park themselves on the edge device, establish persistence, and have months — sometimes years, as we’ll see in the Cisco SD-WAN discussion — to operate without anyone noticing. And then when you do notice, you don’t know how far back the compromise goes.

The commercial surveillance vendor angle is a different failure mode but equally structural. CSVs operate in a legal grey area — selling “lawful intercept” capability to government clients who have varying definitions of “lawful” depending on which government they are. The result is that state-of-the-art zero-day exploit chains, developed at enormous cost by sophisticated researchers, end up being used against civil society targets who have no realistic way to defend themselves against nation-state-grade tooling. The GTIG report makes this visible in a way that’s important: this isn’t abstract. CSVs led zero-day exploitation last year. More than China. More than Russia.

The Fixer’s Advice — What You Actually Do About This

Right. Here’s the fix. And I want to be specific, because “prioritize patching” is not advice. Let’s talk about what a real response looks like.

1. Immediately audit your attack surface for GTIG-flagged vendor targets. Cisco, Fortinet, Ivanti, VMware — if you have any of these in your environment (and statistically you have at least two of them), you need an up-to-date inventory of every version running in production, compared against CISA’s Known Exploited Vulnerabilities catalog and the specific CVEs flagged in the GTIG report. This isn’t a suggestion. If 48 percent of enterprise zero-day exploitation hits the exact gear you’re running, you need to know today whether you’re patched, not next quarter.

2. Instrument your edge devices for detection. Yes, many of these devices don’t support EDR agents. That doesn’t mean you can’t instrument them. VPN gateway logs, firewall logs, network flow data, authentication logs — all of these should be flowing into your SIEM in real time, with alerting tuned for anomalous authentication patterns, unexpected outbound connection initiation (edge devices typically receive connections, not initiate them), configuration changes, and unusual management access. If these logs aren’t in your SIEM, you are blind on the exact devices being targeted most heavily.

3. Implement network segmentation assuming breach. Given that edge devices are the primary target and often lack detection capability, your architecture needs to assume that something on the edge is compromised and design accordingly. Zero trust network access (ZTNA) principles mean that even a fully compromised VPN concentrator doesn’t give an attacker unrestricted lateral movement access to your internal network. Micro-segmentation, mandatory authentication for internal east-west traffic, and explicit least-privilege network ACLs are not nice-to-haves. They’re the difference between “we got breached at the edge” and “we got fully owned.”

4. Patch velocity is a competitive advantage now. The GTIG report documents that the window between patch release and active exploitation is measured in days or hours for the highest-severity vulnerabilities. Your patch cycle — whatever it is — needs an emergency lane for critical edge device vulnerabilities. Define it now: when CISA adds something to KEV with a 3-day deadline, how does your organization respond? If the answer is “it goes into the next change management window,” your answer is wrong. Write the exception process. Test it. Make sure someone has authority to break the change freeze window when a CVSS 9.8 on a Fortinet device is being actively exploited.

5. Treat commercial surveillance vendor (CSV) exposure as a threat model item. If your organization employs executives, lawyers, journalists, political figures, or human rights workers — or if you work in an industry that CSVs’ government clients have reason to target — you need to model CSV-grade mobile and browser exploit chains as a realistic threat. My research on the quantum threat to national security covers the broader architecture of state-level offensive capability, and CSV tooling sits squarely in that ecosystem now. For high-risk individuals: hardware security keys for all accounts, regularly wiped mobile devices, and iMessage/WhatsApp replaced with Signal for sensitive communications. Minimal.

6. Start tracking GTIG’s ongoing attribution research. Google publishes this data publicly. UNC3886. UNC5221. Track these groups. Subscribe to GTIG’s threat intelligence feed. When a new China-nexus campaign is documented, check whether the targeted devices are in your environment. This is not exotic threat intelligence work. It’s reading the reports and acting on them, which apparently is revolutionary in some organizations.

The 2025 zero-day review is a gift. Google’s researchers put in the work to document 90 vulnerabilities, attribute 42 of them to specific actors, identify the systemic patterns, and publish the whole thing for free. The least we can do is read it, act on the specific findings, and stop pretending that our perimeter gear is inherently trustworthy because we paid a lot for it.