Google reported that nearly half of the zero-day vulnerabilities it tracked in the past year were exploited in enterprise technologies, highlighting the increasing focus on corporate infrastructure by attackers seeking access to sensitive organizational data.
According to Google’s annual security report, 48% of tracked zero-day vulnerabilities targeted technologies used by corporations and large organizations.
The finding represents the highest proportion of enterprise-targeted zero-days recorded in Google’s tracking efforts to date. Zero-day vulnerabilities are software flaws that are unknown to the vendor at the time attackers exploit them, meaning defensive patches or mitigations may not yet exist when attacks begin.
Google’s researchers noted that roughly half of the enterprise-focused zero-days affected devices specifically designed to defend corporate networks. These include firewalls, secure networking appliances, and infrastructure systems that are typically deployed as the first line of defense against intrusions.
Security and networking products from major vendors were among the technologies most frequently targeted. Devices and platforms from Cisco, Fortinet, Ivanti, and VMware appeared prominently in the report.
Google said hackers had exploited products from all four vendors on customer networks during the year. Each of the companies acknowledged that attackers had targeted their systems in recent months.
These products often sit at critical junctions within corporate infrastructure. Firewalls, secure gateways, and remote access platforms are typically positioned between internal enterprise networks and the public internet, making them high-value targets for attackers seeking entry points.
Among the commonly exploited weaknesses identified in the report were input validation flaws and incomplete authorization mechanisms. These software defects can allow attackers to send malicious inputs or bypass authentication checks, enabling unauthorized access to systems.
Although these categories of vulnerabilities are widely understood within software security research, they remain common sources of exploitation. In many cases, remediation requires vendors to release security patches and customers to apply updates across their infrastructure.
Enterprise Infrastructure as a Primary Target
The report indicates that many attacks focused on technologies that manage secure remote connectivity and internal network segmentation. Virtual private network platforms and virtualization software appeared among the exploited technologies.
Platforms such as VMware virtualization environments and VPN services allow companies to manage remote workforces and distributed infrastructure. Because they often control authentication and network access, successful exploitation can provide attackers with broad visibility into corporate systems.
Once attackers gain entry through these systems, they may move laterally within the environment to access internal databases, corporate communications platforms, or sensitive operational systems.
Google’s report also described how attackers exploited enterprise applications used by large organizations. One example cited involved the Clop extortion gang targeting customers of Oracle E-Business Suite.
The campaign allowed attackers to extract large quantities of human resources data from multiple organizations. According to the report, the stolen information included details related to employees and corporate executives.
Organizations affected by the activity included Harvard University, the American Airlines subsidiary Envoy, and The Washington Post.
Enterprise resource planning systems such as Oracle E-Business Suite often contain payroll information, personnel records, and operational data. These systems are therefore attractive targets for attackers seeking financially valuable information.
Consumer Software and Surveillance Activity
While enterprise infrastructure accounted for a large portion of zero-day exploitation, the remaining vulnerabilities identified by Google were found in consumer and end-user software.
According to the report, 52% of zero-day vulnerabilities affected consumer products. These included operating systems and applications developed by companies such as Microsoft, Google, and Apple.
Operating systems represented the largest category of consumer software vulnerabilities. Mobile devices also experienced a higher number of zero-day discoveries compared with previous years.
Mobile platforms are often targeted because they store large amounts of personal data and provide access to messaging services, authentication systems, and cloud accounts. Successful exploitation can therefore provide attackers with extensive insight into user communications and digital identities.
Google’s researchers also observed a change in the types of organizations responsible for some zero-day discoveries. According to the report, the company attributed more zero-day vulnerabilities to surveillance vendors than to traditional government-backed espionage groups.
Surveillance vendors typically develop spyware and exploit technologies designed to infiltrate mobile devices and other computing platforms. These tools are frequently sold to government agencies seeking investigative or intelligence capabilities.
The report stated that this pattern reflects “a slow but sure movement in the landscape” regarding how governments acquire access to hacking tools.
Security researchers and software vendors regularly analyze zero-day vulnerabilities to improve defensive technologies and patch vulnerable systems. Industry reports such as Google’s annual study provide insight into how attackers discover and exploit previously unknown software flaws.
Additional technical information about zero-day vulnerabilities and defensive guidance is available from the Cybersecurity and Infrastructure Security Agency’s zero-day vulnerability guidance, which outlines how organizations can reduce risk through monitoring, patching, and secure software practices.
