Mar 5
/
Latest News
Commercial Spyware Vendors Overpower Nation-States in Global Zero-Day Arms Race
A new report from the Google Threat Intelligence Group (GTIG) reveals a significant shift in the global cyber threat landscape, as commercial surveillance vendors (CSVs) have officially surpassed state-sponsored espionage groups in the exploitation of zero-day vulnerabilities.
In its 2025 annual review, Google tracked 90 zero-day vulnerabilities exploited in the wild—defined as flaws used by attackers before a public patch is available. This figure represents a sharp increase from the 78 recorded in 2024, signaling a persistent upward trend in the complexity and volume of high-stakes digital attacks. Of the 90 vulnerabilities identified last year, GTIG successfully attributed 42 to specific threat actors. The findings underscore a professionalization of the exploit market: 18 zero-days were definitively or likely linked to commercial surveillance firms, while 15 were attributed to state-sponsored groups operating out of China, Russia, and the UAE.
These two categories of attackers are increasingly specializing in their targets. While government-backed hackers focused heavily on "edge" infrastructure—such as routers and firewalls—to gain persistent access to entire organizational networks, commercial vendors shifted their focus toward personal technology. These firms are increasingly engineering tools that bypass the security of mobile devices and browsers, which they then sell to clients globally.
The report also highlights the volatility of mobile security, noting that zero-day exploits targeting mobile platforms have fluctuated significantly, dropping to just nine in 2024 before rebounding to 15 in 2025. Despite rigorous security investments by major tech firms, Microsoft remained the most targeted vendor for zero-day exploits, followed closely by Google and Apple. GTIG warns that as commercial vendors continue to refine their operational security and develop sophisticated exploit chains, the line between private-sector tools and state-level cyber warfare continues to blur, placing a greater burden on software developers to patch flaws faster than they can be sold on the open market.
In its 2025 annual review, Google tracked 90 zero-day vulnerabilities exploited in the wild—defined as flaws used by attackers before a public patch is available. This figure represents a sharp increase from the 78 recorded in 2024, signaling a persistent upward trend in the complexity and volume of high-stakes digital attacks. Of the 90 vulnerabilities identified last year, GTIG successfully attributed 42 to specific threat actors. The findings underscore a professionalization of the exploit market: 18 zero-days were definitively or likely linked to commercial surveillance firms, while 15 were attributed to state-sponsored groups operating out of China, Russia, and the UAE.
These two categories of attackers are increasingly specializing in their targets. While government-backed hackers focused heavily on "edge" infrastructure—such as routers and firewalls—to gain persistent access to entire organizational networks, commercial vendors shifted their focus toward personal technology. These firms are increasingly engineering tools that bypass the security of mobile devices and browsers, which they then sell to clients globally.
The report also highlights the volatility of mobile security, noting that zero-day exploits targeting mobile platforms have fluctuated significantly, dropping to just nine in 2024 before rebounding to 15 in 2025. Despite rigorous security investments by major tech firms, Microsoft remained the most targeted vendor for zero-day exploits, followed closely by Google and Apple. GTIG warns that as commercial vendors continue to refine their operational security and develop sophisticated exploit chains, the line between private-sector tools and state-level cyber warfare continues to blur, placing a greater burden on software developers to patch flaws faster than they can be sold on the open market.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.