Preface
In 2025, zero-day vulnerabilities emerged as one of the most decisive factors shaping the global cyber-threat landscape. Attackers increasingly shifted from noisy, opportunistic exploits to precision-driven zero-day abuse, targeting high-value platforms such as browsers, operating systems, virtualization layers, and enterprise edge devices. The speed at which vulnerabilities moved from discovery to weaponization compressed dramatically—often measured in days or even hours—leaving defenders in a constant reactive posture.
What distinguished 2025 was not just the volume of zero-days, but their strategic use. Threat actors chained multiple zero-days together to bypass modern security controls, combining browser exploits with sandbox escapes, privilege escalation flaws, and lateral movement techniques. Widely deployed technologies—Chrome, Windows kernel components, Android frameworks, VPNs, firewalls, and hypervisors—became prime targets, amplifying impact across enterprises and critical infrastructure.
Defensive maturity improved, but attacker innovation outpaced patch cycles. Security vendors and national CERTs increasingly confirmed “exploitation in the wild” at disclosure time, underscoring that zero-days were no longer rare or exceptional—they became an expected attack primitive. In 2025, zero-days were not merely vulnerabilities; they were operational tools, shaping campaigns, enabling ransomware, espionage, and initial access at scale, and redefining how cyber risk manifested across the digital ecosystem.
Notes on Zero-Day Classification
- A true zero-day is exploited before official patch release or before code is publicly fixed. Many of the entries above were confirmed exploited before patching, or had active attacks observed.
- Some CVEs are included because they had proof-of-concept exploits or were widely considered “zero-day in practical exploit timelines” during 2025.
Key Analyst Observations
- Microsoft + Google = ~47% of all zero-days
- Reflects attack ROI, not weak engineering.
- Browser & OS layers dominate
- Initial access + privilege escalation remains the preferred kill chain.
- Security & networking appliances continue to be high-impact, low-volume targets.
- Apple zero-days skew toward high-end targeted attacks, not mass exploitation.
- Supply-chain style zero-days (React) highlight the risk of trusted frameworks.
| Vendor | Approx. % of Total Zero-Day Exploits | Comments / Notes | Source |
|---|---|---|---|
| Microsoft | ~30% | Largest share of zero-day exploitation evidence in 2025, largely in Windows and server products. | infosecurity-magazine.com |
| ~11% | Includes Chrome and Android (Framework/OS) zero-days exploited in the wild. | infosecurity-magazine.com | |
| Apple | ~8% | iOS/macOS/WebKit zero-days actively exploited. | infosecurity-magazine.com |
| Ivanti | ~6% | Security-appliance related zero-days reported. | infosecurity-magazine.com |
| Qualcomm | ~5% | Chipset/Android-related exploitables. | infosecurity-magazine.com |
| VMware | ~5% | Hypervisor/virtualization product zero-days. | infosecurity-magazine.com |
| Cisco | ~ Variable but notable | Enterprise networking zero-days (e.g., AsyncOS). Exploit evidence and KEV entries show multiple Cisco vulnerabilities exploited. | TechRadar |
| Fortinet | Moderate | Multiple exploited vulnerabilities seen in FortiOS/FortiWeb. | IT Pro |
| WatchGuard | Moderate | Firebox OS zero-day exploited. | TechRadar |
| Oracle / Third-Party Apps | Lower but impactful | E-Business Suite exploited in major breach. | TechRadar |
| WinRAR / Other Tools | Smaller | Standalone app zero-days like WinRAR CVE-2025-8088. | Windows Central |
Major Zero-Day Vulnerabilities in 2025
Microsoft- Servers and Endpoints
- CVE-2025-30397 – Windows scripting engine RCE (actively exploited)
- CVE-2025-32701 – Windows CLFS EoP
- CVE-2025-32706 – Windows CLFS EoP
- CVE-2025-32709 – Windows AFD.sys EoP
- CVE-2025-59230 – Remote Access Connection Manager EoP (actively exploited)
- CVE-2025-24990 – Agere modem driver EoP (exploited)
- CVE-2025-29824 – Windows CLFS EoP (exploit seen)
- CVE-2025-62221-Windows Cloud Filter Driver EoP (Exploited)
Browsers & Client Software
- CVE-2025-2783 – Google Chrome sandbox escape (zero-day exploited before patch)
- Google Chrome zero-days reported in Android/Chrome patch rounds, e.g., CVE-2025-48633 and CVE-2025-48572 (Android/Chromium impacts; actively exploited)
- CVE-2025-4664 — Chrome Skia use-after-free causing memory corruption and potential code execution
- CVE-2025-6554 — Chrome V8 type-confusion vulnerability allowing arbitrary code execution
- CVE-2025-6558 — Chrome ANGLE/GPU memory corruption leading to remote code execution
- CVE-2025-5419 — Chrome V8 out-of-bounds access enabling heap corruption and exploitation
- CVE-2025-10585 — Chrome V8 type-confusion bug actively exploited in the wild
- CVE-2025-13223 — Chrome V8 memory corruption zero-day used in active attacks
- CVE-2025-14174 — Chrome ANGLE out-of-bounds memory access exploited before patch
Mobile / Platform
- CVE-2025-48633 – Android info disclosure zero-day (actively exploited)
- CVE-2025-48572 – Android privilege escalation zero-day (actively exploited)
- CVE-2025-24085 – Apple Core Media Framework EoP exploited early in 2025
Enterprise Software & Services
- CVE-2025-53770 – Microsoft SharePoint RCE (actively exploited)
- CVE-2025-53771 – Microsoft SharePoint authentication bypass (part of ToolShell attacks)
- CVE-2025-10035 – GoAnywhere MFT command injection zero-day (active exploitation)
Network & Security Appliances
- CVE-2025-20393 – Cisco AsyncOS (Secure Email Gateway) critical zero-day exploited in campaigns
- CVE-2025-14733 – WatchGuard Firebox OS RCE exploited in the wild
- CVE-2025-20333 & CVE-2025-20362 – Cisco ASA / FTD zero-days exploited in the wild (remote code execution/unauthorized access)
- CVE-2025-20352 – Cisco IOS / IOS-XE RCE zero-day exploited (reported in threat intel)
Other Reported Zero-Days / Significant Vulnerabilities
Some vulnerabilities were treated as zero-day due to exploitation before patch or active proof-of-concept use:
- CVE-2025-64671 – Microsoft PowerShell/JetBrains remote code execution with PoC exposure
- Other public PoCs surfaced for Microsoft and third-party apps late 2025 (e.g., CVE-2025-54100)
| Vendor | Zero‑Days (2025) | Primary Products Affected | Common Exploitation Pattern |
|---|---|---|---|
| Microsoft | 8 | Windows OS, Kernel, SharePoint, DWM | Mass exploitation, post‑exploitation chains |
| 8 | Chrome, Android, GPU / ANGLE | Drive‑by attacks, sandbox escape | |
| Apple | 7 | iOS, macOS, WebKit, ImageIO | Targeted spyware‑grade exploitation |
| Fortinet | 2 | FortiOS, FortiProxy, FortiWeb | Authentication bypass → lateral movement |
| Citrix | 1 | NetScaler ADC / Gateway | Internet‑facing RCE |
| Meta (React) | 1 | React Server Components | Application & supply‑chain exploitation |
| VMware | 1 | VMware Tools / Aria Operations | Local privilege escalation |
| Cisco | 1 | Secure Email Gateway (AsyncOS) | Espionage & persistent access |
| WatchGuard | 1 | Firebox OS | Network appliance RCE |
| Oracle | 1 | Oracle E‑Business Suite | Enterprise breach vector |
| WinRAR | 1 | WinRAR Archive Manager | Phishing‑led malware execution |
| Qualcomm | 1 | Snapdragon / Android chipset | Mobile privilege escalation |
| Total | 34 | — | — |
Note: This list represents publicly disclosed and confirmed zero-day vulnerabilities exploited in 2025, where exploitation occurred before or at the time of patch release. Counts are based on vendor advisories, CISA KEV entries, and threat-intelligence reporting
Sources & Intelligence Tracking
To track zero-day disclosures and advisories, security teams often consult:
- CISA Known Exploited Vulnerabilities (KEV) Catalog for 0-day exploitation evidence and deadlines.
- Zero Day Initiative (ZDI) advisories for early discovery notifications (not all are exploited in the wild).
- Monthly Patch Tuesday summaries from Microsoft, Google, Apple, etc., which often classify vulnerabilities based on exploit status.
Closing Notes
The zero-day surge of 2025 marked a clear inflection point in modern cyber warfare. What were once exceptional, high-value exploits became repeatable, operational assets used across ransomware, espionage, and supply-chain attacks. The year demonstrated that patching alone is no longer sufficient; exploitation frequently occurred before defenders even became aware a flaw existed.
As organizations move forward, resilience must take precedence over reaction. Behavioral detection, attack-surface reduction, privilege minimization, and rapid containment are now as critical as vulnerability management. Zero-days will continue to prevail—not because defenders are unaware, but because adversaries have mastered speed, chaining, and scale. The lesson from 2025 is unmistakable: assume breach, expect zero-days, and design security strategies that withstand exploitation rather than merely chase it.
