Google Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in the wild during 2025, slightly below the record 100 from 2023 but higher than 2024's 78. The numbers themselves matter less than what they reveal about who is doing the exploiting. The answer is uncomfortable: commercial spyware makers have officially surpassed traditional state-sponsored actors as the primary users of undocumented security flaws.
For the first time since Google began tracking zero-day exploitation, more zero-days were attributed to commercial surveillance vendors than to state-sponsored cyber espionage groups, illustrating expanded access to zero-day exploitation via these vendors to a wider array of customers. This is not a minor technical detail. It signals a fundamental shift in how cyber weapons are developed and distributed: from nation states building exploits in-house to private companies licensing them to whoever pays.
Both the raw number and proportion of enterprise-targeted vulnerabilities reached all-time highs, with 43 zero-days and 48 percent of total exploits affecting enterprise technologies. Security and networking devices comprised nearly half of the enterprise-related zero-days, making them the hardest hit category. This matters because edge devices like firewalls and VPN appliances sit at the perimeter of corporate networks and often lack the endpoint detection tools that would flag an intrusion. They are a hidden entry point.
The State Sponsor Still Leads Where It Counts
Here is where the narrative gets more complex. While commercial spyware vendors lead in sheer numbers of zero-day exploitation overall, state actors dominate the enterprise space specifically. Chinese-nexus espionage groups exploited the highest number of enterprise zero-days, particularly focusing on edge device and networking device exploitation. This distinction matters strategically. Commercial vendors are selling to mobile surveillance clients; nations are trying to get inside corporate networks.
Among state-sponsored actors, China-linked espionage groups remain the most active, with 10 zero-days exploited in 2025, targeting primarily edge devices and networking equipment for persistent access. Real-world campaigns like Brickstorm show the stakes involved. The campaign targeted intellectual property from victim companies, potentially including source code and proprietary development documents, which could be used to discover new vulnerabilities in vendor software and pose threats to downstream customers.
This reveals a troubling reality: Chinese operators are not just stealing data; they are stealing the blueprints to build future attacks. It is a pattern of escalation that most corporate boards have only begun to understand.
The Spyware Market Problem
Commercial surveillance vendors such as NSO Group, Intellexa, and Candiru develop and sell spyware ostensibly for government agencies and law enforcement, though spyware has repeatedly been found on devices belonging to journalists, protesters, and political opposition leaders. The gap between intent and reality has widened considerably.
The United States has recognised this problem. The Treasury Department sanctioned individuals and entities associated with the Intellexa Consortium for their role in developing and distributing commercial spyware technology that presents a threat to national security. Yet enforcement remains difficult. Companies rebrand, move operations, or shift ownership structures. The number of commercial surveillance vendors globally is impossible to count; Google tracks around 40 that develop and sell exploits and spyware to government customers.
The honest assessment: sanctions have not stopped the industry. They have merely made it more opaque.
What Reasonable People Must Acknowledge
There is a legitimate argument that some level of government surveillance capability serves genuine security functions. The question is not whether governments should ever monitor adversaries. It is who should build those tools and under what constraints.
A state that develops its own exploits can theoretically control their use more carefully. Artificial intelligence could accelerate the zero-day landscape as attackers increasingly use AI tools to automate vulnerability discovery and exploit development. An open market in zero-days, where private vendors sell to the highest bidder, distributes these weapons more widely and faster.
Australia has stakes in this debate. Australian companies operate enterprise infrastructure targeted by zero-days. Australian officials and institutions may be targets of commercial spyware deployed by offshore buyers. The regulatory frameworks that work against NSO Group do not prevent Intellexa or newer competitors from operating. Tighter oversight of the spyware industry is not a partisan issue. It is a question of whether the market for cyber weapons should exist at all.
Defenders should prepare for when, not if, a compromise happens; system architectures should be designed and built with security awareness ingrained, allowing inherent segmentation and least privilege access. Until policy catches up, that burden falls largely on organisations themselves.