Google’s Threat Intelligence Group (GTIG) released its annual analysis of zero-day exploitation, detailing how 2024 saw attackers increasingly target enterprise software and infrastructure over traditional consumer platforms like browsers and mobile devices.
While the total number of zero-days dropped from 98 in 2023 to 75 in 2024, the data points to a continued evolution in adversary behavior and more sophisticated targeting of enterprise tech stacks.
Enterprise Tool Attacks Hit Record
Enterprise software and networking appliances accounted for 44% of all zero-day vulnerabilities exploited in 2024—a record high. GTIG reported that threat actors gravitated toward products like VPNs, security gateways, and cloud infrastructure tools, recognizing their privileged position in organizational networks and their potential to bypass endpoint detection.
Among the most targeted were products from Ivanti, Palo Alto Networks, and Cisco. Exploits in these systems typically allowed for remote code execution or privilege escalation, often requiring no exploit chain. This shift signals a widening threat surface for enterprise defenders and points to attackers optimizing for high-impact intrusions with minimal exposure.
In a notable twist, security software itself emerged as a frequent target. GTIG observed 20 zero-days exploited in networking and security tools—over 60% of all enterprise-specific zero-days. These tools are highly attractive because they’re deeply embedded in the infrastructure they protect and are often not monitored by traditional endpoint detection and response (EDR) tools.
Vulnerabilities in these products can give attackers immediate high-privilege access, GTIG warned. The report called for EDR vendors to adapt their visibility strategies to account for these increasingly targeted platforms.
End-User Platforms: A Relative Decline
Although end-user technologies still made up the majority of zero-day activity (56%), GTIG saw a significant drop in exploitation for browsers and mobile platforms. Chrome remained the most targeted browser, but attacks fell by nearly a third. Mobile zero-day usage halved from the previous year.
In contrast, Windows exploitation rose again—22 zero-days were tracked in Microsoft’s OS, up from 16 the previous year. With Windows still ubiquitous in enterprise and home environments, threat actors continue to find value in chaining privilege escalation bugs and kernel exploits.
The Players Behind the Exploits
State-sponsored espionage remains the primary driver behind zero-day use, accounting for over 50% of all attributed cases. PRC-affiliated actors exploited five zero-days, primarily in Ivanti appliances, in complex campaigns like one executed by UNC5221.
North Korean groups, meanwhile, tied with China for the first time, also exploiting five zero-days. These campaigns often blended espionage with financially motivated attacks, such as ad fraud and ransomware precursors.
Commercial surveillance vendors (CSVs) like Cellebrite continued to play a major role, especially in physical-access attack chains. Although GTIG noted fewer CSV-attributed zero-days than in 2023, the researchers attributed this decline to improved operational security rather than reduced activity.
Most Attacked Vulnerability Types
Three vulnerability types led the charts in 2024: use-after-free, command injection, and cross-site scripting. Many of these were tied to core enterprise tools, suggesting attackers are deliberately seeking out systemic weaknesses.
Google’s report took CVE-2024-44308 and CVE-2024-44309 as key examples—used together in a WebKit exploit chain to steal authentication cookies from government users visiting compromised websites. In another case, the CIGAR threat group leveraged CVE-2024-49039 in Firefox to escalate privileges from a sandboxed browser process all the way to SYSTEM.
What’s Ahead
GTIG expects enterprise product targeting to grow even further in 2025. The report urges vendors of business infrastructure and security software to invest in secure-by-design principles, embrace zero-trust architectures, and harden remote access pathways.
More broadly, Google says zero-day prevention isn’t just about patching quickly. It involves proactive mitigation strategies, tighter access controls, and architectural decisions that limit blast radius if a vulnerability is exploited.
Attackers are learning what defenders overlook, the report concludes. The industry needs to evolve to defend not just endpoints, but the systems that secure them.
For those keeping score, zero-days may have dropped in volume this year, but they got smarter, stealthier, and a whole lot more dangerous for the enterprise world.
