Zero-Day Exploitation Acceleration

The year 2025 set a fifteen-year record for confirmed zero-day exploits: 90 vulnerabilities were actively weaponized before patches were available, a 15% increase over the prior year. CrowdStrike researchers documented a 42% increase in exploits deployed before public disclosure compared to the previous reporting period—meaning attackers are finding and weaponizing vulnerabilities through their own research at an accelerating rate, independent of public CVE announcements. The most alarming operational finding: 29% of exploited vulnerabilities were weaponized on or before the day the CVE was publicly published, collapsing the patch window from weeks to effectively zero. The target profile has shifted significantly toward enterprise technology. Forty-eight percent of all zero-day exploits in 2025 targeted enterprise products rather than consumer software—a deliberate strategic choice by adversaries seeking maximum organizational impact. Microsoft led vendor exposure with 25 zero-day vulnerabilities, followed by Google with 11 and Apple with 8. This concentration in platform-dominant vendors means that a single unpatched system in an otherwise hardened environment represents a potential full-organization compromise. Attribution data reveals a structural shift in who is producing zero-days. Commercial surveillance vendors—companies that develop exploitation capabilities for sale to government customers—now account for more zero-day production than nation-state groups acting independently. China-linked threat groups were attributed to 10 of 16 confirmed state-sponsored zero-days in 2025, demonstrating the strategic importance Beijing places on pre-positioning access in critical systems. AI is accelerating exploit development timelines on both sides: defenders are using large language models to find vulnerabilities proactively, while attackers are using the same tools to generate proof-of-concept exploit code hours after CVE publication.