When a security flaw goes unnoticed even by software developers, the risk is no longer a possibility but a real and silent threat. This is how zero-day vulnerabilities work: hidden gaps that attackers can exploit before a patch is available.
According to the Google Threat Intelligence Group (GTIG), 75 such cases have been identified in 2024, and more than 50% were related to spyware attacks. Although this figure is lower than the 97 exploits detected in 2023, it still exceeds the 63 recorded in 2022, confirming a worrying upward trend. GTIG analysts explain that these year-on-year fluctuations are normal, but reflect a steady growth in the use of zero-day exploits by increasingly sophisticated actors.
Among those responsible are groups linked to cyberespionage, including state-backed actors and customers of commercial surveillance companies. In particular, five attacks are attributed to groups associated with China, eight to spyware buyers, and for the first time North Korean operators have been identified using five zero-day vulnerabilities in operations combining espionage with financial motivations.
The rise of zero-day attacks on everyday platforms.
Last year, Google's Threat Analysis Team (TAG), together with Mandiant (one of its subsidiaries specializing in cybersecurity) detected 97 zero-day vulnerabilities that were exploited in actual attacks. That represents more than a 50% increase compared to the 62 reported the previous year. Most worryingly, many of these were related to spyware vendors and their customers.
Although the total number of vulnerabilities varies from year to year, what is clear is that the overall trend is increasing. In 2024, the main targets were the products and platforms we use every day, such as browsers, cell phones and desktop operating systems.
In fact, more than half (56%) of detected zero-day attacks targeted these everyday systems. There was a bit of good news: attacks on browsers dropped from 17 in 2023 to 11 in 2024. Mobile exploits also fell, from 17 to just 9. But it wasn't all improvement.
Google Chrome continued to be the favorite target among browsers, and in the case of desktop operating systems, the situation worsened. Vulnerabilities in Windows rose from 16 to 22 in just one year, and if we look further back, we see a steady growth from the 13 cases recorded in 2022.
As the Google TAG team explained, as long as Windows remains one of the most widely used systems both at home and at work, it will continue to be a tempting target for attackers. And not only to exploit flaws that are not yet known (day zero), but also those that already have a patch available (day n), but that many users have not yet installed.
Zero days exploited on-site per year (Source: Google)
Read more: Cybercrime in the U.S.: A Record $16 Billion Lost in 2024
In 2024, attackers exploited 33 of the 75 zero-day vulnerabilities (about 44%) to attack products that are primarily used in enterprise environments. That's up from the 37% we saw in 2023. Of those 33 attacks, more than 60% focused on security and networking software and devices. Why are they so attractive to attackers? Because if they manage to breach just one of these systems, they can gain access to an entire network without needing to put together complicated and difficult-to-execute exploit chains.
Among the most prominent cases this year, Google TAG analysts found attacks targeting fairly well-known products in the corporate world, such as Ivanti Cloud Services Appliance, Cisco ASA, Palo Alto PAN-OS and Ivanti Connect Secure VPN.
According to Casey Charrier, an analyst with Google's threat intelligence team, zero-day attacks continue to grow slowly, but it's not all bad news. It's also starting to show that many vendors' efforts to strengthen security are paying off.
For example, fewer attacks were detected in 2024 against products that used to be the usual target in previous years, probably because the companies behind them have invested in strengthening their defenses. However, this has caused attackers to divert their attention to other enterprise products that do not always have the same level of protection.
In short, where zero-day exploits go in the future will depend largely on how technology vendors respond: how much they invest in security, how fast they act, and how well they can anticipate attackers' moves.