Threat Research

Look What You Made Us Patch: 2025 Zero-Days in Review

GoogleCloudIntel
Look What You Made Us Patch: 2025 Zero-Days in Review

GTIG tracked 90 zero-days exploited in the wild in 2025, with a record 48% targeting enterprise technologies and notable increases in OS and mobile exploitation while browser exploitation declined. The report highlights rising commercial surveillance vendor activity, sustained PRC‑nexus focus on edge/security appliances, high-profile chains such as the SonicWall full-chain and DNG-based Samsung exploits, and warns that AI will accelerate both exploit discovery and exploit development. #BRICKSTORM #SonicWall

Keypoints

  • GTIG tracked 90 zero-days in 2025, a count within the 60–100 range observed over recent years, indicating stabilization at elevated levels.
  • Enterprise-focused exploitation reached an all-time high: 43 zero-days (48%) targeted enterprise software and edge/security appliances.
  • Operating systems were the most exploited product category (39 zero-days, 44%), and mobile zero-days rebounded to 15 after a dip in 2024.
  • Commercial surveillance vendors (CSVs) were attributed more zero-days than traditional state-sponsored groups for the first time, expanding access to zero-day capabilities.
  • PRC-nexus espionage groups remained prolific users of zero-days, focusing on edge and networking devices to maintain persistent access (e.g., UNC5221, UNC3886).
  • Notable exploit chains included browser sandbox escapes via OS/hardware components, SonicWall SMA full-chain (including an authenticated/unauthenticated RCE and a ctrl-service LPE), and DNG-based Samsung MediaStore exploits enabling broad media access.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – Web-facing enterprise appliances were exploited via injection (SQL/command) to achieve initial access (‘SQL and command injection vulnerabilities were common in web-facing enterprise appliances, providing rudimentary avenues for initial access.’)
  • [T1059 ] Command and Scripting Interpreter – Exploits executed arbitrary shell commands on compromised appliances using tooling like ysoserial (‘run arbitrary shell commands using a payload generated by ysoserial’)
  • [T1203 ] Exploitation for Client Execution – Browser, mobile, and driver vulnerabilities (UAF, OOB writes) were exploited to achieve code execution and sandbox escapes (‘an attacker could relay these special handles back to a renderer process… leading to code injection within more privileged processes and ultimately to a sandbox escape.’)
  • [T1068 ] Exploitation for Privilege Escalation – Local privilege escalation was used to escalate from mgmt-server (Java) to root on SonicWall appliances via a zero-day in ctrl-service (‘the exploit used a zero-day in ctrl-service… to escalate to root privileges.’)
  • [T1204 ] User Execution – DNG image exploitation required user interaction in many cases and was characterized as a ‘1-click’ vector (‘This classifies as a “1-click” exploit.’)
  • [T1574 ] Hijack Execution Flow – Memory corruption primitives (use-after-free, out-of-bounds write) were leveraged to hijack control flow and achieve code execution (‘memory safety issues (particularly use-after-free [UAF] and out-of-bounds write) accounting for roughly 35% of the vulnerabilities.’)
  • [T1486 ] Data Encrypted for Impact (Ransomware) – Zero-days were used in operations that led to ransomware deployment by financially motivated actors (‘including the reported exploitation of two zero-days in operations that led to ransomware deployment.’)
  • [T1105 ] Ingress Tool Transfer – Exploit artifacts and samples were observed being uploaded/shared (e.g., VirusTotal uploads of suspicious DNG images and RARs) enabling analysis and distribution (‘several suspicious image files were uploaded to VirusTotal.’)

Indicators of Compromise

  • [CVE Identifiers ] Vulnerability identifiers referenced in tracked zero-days – CVE-2025-61882, CVE-2025-8088, and 17 more CVEs (e.g., CVE-2025-21590, CVE-2025-21042, CVE-2025-23006).
  • [Threat Actors / Malware ] Named actors and tooling observed or attributed in exploits – BRICKSTORM, UNC5221, and 8 more (e.g., UNC3886, FIN11, UNC2165, CL0P, Intellexa, UNC4895).
  • [Affected Vendors / Products ] Targeted vendors and products used as exploitation surfaces – SonicWall SMA 1000 series, Oracle E-Business Suite (EBS), and other vendors such as Cisco, Fortinet, Samsung, Google Chrome.
  • [File samples / Artifacts ] Malware and exploit sample types uploaded or observed – DNG image exploit samples (uploaded to VirusTotal), RAR archive submissions containing payloads, and other sample artifacts.
  • [Processes / Libraries ] Targeted process/library names and components exploited – com.samsung.ipservice process and the Quram image-parsing library, and other components such as Android ART, Qualcomm Adreno and Mali GPU user‑land libraries.

Read more: https://cloud.google.com/blog/topics/threat-intelligence/2025-zero-day-review/