Zero-Day Gold Rush: Commercial Spyware Vendors Overtake Nation-States in 2025 Cyber Arms Race

In a development that’s rattling the cybersecurity world, Google’s Threat Intelligence Group has sounded the alarm: 2025 witnessed a record-breaking 90 zero-day vulnerabilities exploited in the wild, marking a pivotal shift in who’s wielding these digital weapons. For the first time, commercial surveillance vendors - not shadowy state-backed hackers - emerged as the top exploiters, turning the zero-day game into a high-stakes marketplace where any well-funded buyer can play.

Fast Facts

• 90 zero-days exploited in 2025 - a 15% jump from 2024.
• Commercial surveillance vendors now lead in zero-day exploitation, surpassing state actors.
• Almost half of exploited zero-days targeted enterprise software and network appliances.
• Microsoft topped the list of targeted vendors, followed by Google, Apple, and Cisco.
• Mobile device zero-days rebounded, with 15 exploited in 2025.

The New Merchants of Mayhem

For years, state-sponsored groups - especially those linked to China, Russia, and the UAE - dominated the zero-day scene, using these rare and powerful exploits to infiltrate government and corporate networks. But 2025 marked a sea change: private commercial surveillance vendors (CSVs), offering bespoke hacking tools to the highest bidder, now outpace state-backed actors in the zero-day arms race. Google’s investigators attributed at least 18 of last year’s zero-days to these vendors, whose clients are often governments seeking to monitor dissidents, journalists, or rivals.

This commercialization has flooded the threat landscape with sophisticated exploits, some chaining together three or more vulnerabilities to break into mobile devices and browsers. Tools once reserved for elite intelligence services are increasingly available on the open market, eroding the boundaries between espionage, law enforcement, and outright criminality.

Enterprises in the Crosshairs

Nearly half of all exploited zero-days in 2025 targeted enterprise infrastructure - security appliances, edge devices, VPNs, and virtualization platforms. These systems, often lacking robust monitoring, provide attackers with privileged access and persistent footholds inside organizations. The surge in attacks on these “blind spots” prompted urgent directives from U.S. officials, including orders to remove unpatched edge devices from federal networks.

China-linked groups remain the most prolific state actors, focusing on infiltrating edge devices to steal not just data but intellectual property - potentially fueling future zero-day development. The notorious Brickstorm campaign highlighted this trend, with attackers exfiltrating source code and proprietary documents to uncover new vulnerabilities downstream.

Criminals and the Future of Zero-Days

Financially motivated hackers aren’t sitting out this gold rush: nine zero-days were exploited by ransomware and extortion gangs, some of whom overlap with state-backed operations. The line between espionage and profit-driven cybercrime is blurring, as groups like Evil Corp and RomCom leverage the same vulnerabilities for both malware distribution and intelligence gathering.

With artificial intelligence poised to accelerate vulnerability discovery in 2026, the arms race shows no sign of slowing. Google’s analysts warn that expanded access to zero-day capabilities - and the diversification of both attackers and targets - means defenders must adapt quickly, prioritizing rapid patching and comprehensive monitoring to stay ahead.

Conclusion

The zero-day market is no longer the exclusive domain of superpowers. As the tools of digital espionage go commercial, every enterprise - and every individual - sits closer to the blast radius. In 2025, the cyber arms race became a marketplace, and the cost of entry is dropping. The question for 2026: can defenders keep pace as the gold rush continues?

WIKICROOK

• Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.
• Commercial Surveillance Vendor (CSV): A commercial surveillance vendor (CSV) develops and sells spyware and hacking tools, mainly to governments, enabling covert digital surveillance and device access.
• Edge Device: An edge device is hardware, like a router or firewall, that connects private networks to the internet and acts as a key security barrier.
• Exploit Chain: An exploit chain is a series of linked vulnerabilities that attackers use together to breach a system, bypassing security through multiple steps.
• Privilege Escalation: Privilege escalation occurs when an attacker gains higher-level access, moving from a regular user account to administrator privileges on a system or network.