The world of cybersecurity in 2025 is facing one of its most challenging times: never before have so many Zero-Day vulnerabilities been exploited in such a short period.
In just the first half of the year, over 23,600 vulnerabilities have been reported—a 16% increase compared to 2024. And what's most concerning isn't just the sheer number, but the speed at which attackers are taking advantage of them.
Highly sophisticated groups—from ransomware operators to state-sponsored teams—are turning unknown flaws into digital weapons.
To give you an idea, nearly 30% of known exploited vulnerabilities (KEV) were attacked within 24 hours of being publicly disclosed. In some cases, certain critical devices didn’t even have a patch available before being compromised.
The way these attacks are evolving is increasingly alarming: they no longer just target the most commonly used browsers but are now also aiming at companies’ critical infrastructure.
At TecnetOne, we want to help you make sense of this landscape. That’s why we’ve prepared this analysis, where we review the most significant Zero-Day vulnerabilities of 2025, explaining how they were exploited, what real impact they had, and—most importantly—what steps you can take to protect your systems and reduce risk.
Zero-Day Vulnerabilities Exploited by Vendor/Platform in 2025
On September 16, 2025, vulnerability CVE-2025-10585 was discovered—a critical flaw in Chrome’s V8 JavaScript and WebAssembly engine. Although Google released a patch in less than 24 hours, this marked the sixth Zero-Day vulnerability in Chrome this year.
Google’s Threat Analysis Group (TAG) confirmed the flaw was being actively exploited, suggesting the involvement of high-level threat actors, possibly nation-state groups.
Vulnerability Type: Type confusion in the V8 engine
Attack Vector: Malicious web pages with crafted JavaScript
Impact: Arbitrary code execution and full browser compromise
Affected Versions: Chrome before 140.0.7339.185/.186
A few months earlier, in July, CVE-2025-6558 surfaced—another critical vulnerability targeting Chrome’s ANGLE GPU engine. It enabled attackers to escape Chrome’s sandbox and access out-of-bounds memory, paving the way for arbitrary code execution at the system level.
Exploitation Method: Malicious HTML pages with crafted graphic calls
Consequence: Sandbox escape, system-level access
Fixed Version: Chrome 138.0.7204.157/.158
In total, Chrome faced multiple Zero-Day attacks in 2025 (CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, and CVE-2025-6558). This pattern highlights how browsers have become one of cybercriminals’ preferred attack vectors.
On August 26, 2025, Citrix disclosed CVE-2025-7775, a memory overflow vulnerability in NetScaler ADC and NetScaler Gateway. This flaw was exploited as a Zero-Day and received a CVSS score of 9.2, making it one of the most dangerous vulnerabilities of the year.
Impact: Remote Code Execution (RCE) and Denial of Service
Authentication: Not required (unauthenticated exploitation)
Attack Complexity: High, requires advanced techniques
Affected Versions: 13.1, 14.1, 13.1-FIPS, and NDcPP
According to Shadowserver data, over 28,200 instances remained exposed even after the patch was released. In many cases, attackers deployed web shells to maintain persistent access.
Fixed Versions: 14.1-47.48+, 13.1-59.22+, 13.1-FIPS/NDcPP 13.1-37.241+, 12.1-FIPS/NDcPP 12.1-55.330+
This incident underscores that enterprise critical infrastructure continues to be a prime target for advanced threat actors.
In July 2025, Microsoft issued emergency patches for two chained Zero-Day vulnerabilities affecting on-premises SharePoint servers. The campaign, dubbed ToolShell, highlighted how attackers are refining multi-stage exploit chains.
Vulnerability Type: Header spoofing
Impact: Enables authentication bypass
CVSS Score: 6.3
Vulnerability Type: Unsafe deserialization of untrusted data
Impact: Remote code execution
CVSS Score: 9.8
Attackers first exploited CVE-2025-53771 to bypass authentication, then used CVE-2025-53770 to execute malicious code. This combination even allowed them to extract cryptographic keys from the machine, ensuring long-term persistence.
Research by Unit 42 found links to the Storm-2603 group and observed activity starting July 17, 2025. The campaign evolved quickly, shifting from .NET modules to web shell–based payloads.
Read more: RCE Attacks in SharePoint: Microsoft Releases Emergency Patches
Not every vulnerability scores the maximum, but CVE-2025-31324 did—earning a perfect 10.0 CVSS rating, signaling critical risk across all metrics.
The flaw, found in SAP NetWeaver Visual Composer, allowed unauthenticated attackers to upload arbitrary files and immediately compromise the entire system.
CVSS Score: 10.0 (Critical)
Affected Component: SAP NetWeaver Visual Composer
Attack Vector: HTTP/HTTPS from the Internet
Authentication: Not required
Exploitation Endpoint: /developmentserver/metadatauploader
This Zero-Day vulnerability was exploited nearly three weeks before public disclosure. Later investigations linked the activity to both APT groups and the Qilin ransomware operation.
In fact, OP Innovate analysis found ties to Cobalt Strike infrastructure, confirming its use in large-scale ransomware campaigns.
Following disclosure, opportunistic attacks leveraged pre-deployed web shells, proving that even after patches are released, Zero-Days remain an ongoing threat.
On May 13, 2025, SAP released Security Note 3604119, which addressed CVE-2025-42999 (CVSS 9.1). This vulnerability was directly tied to the root cause of CVE-2025-31324.
The discovery came from forensic work by Onapsis Research Labs and underscores the complexity of vulnerabilities in enterprise software: often, an initial patch is not enough, and the root issue must be thoroughly resolved.
In September 2025, Google addressed two actively exploited Zero-Day vulnerabilities in its Android Security Bulletin. Evidence points to spyware campaigns targeting high-value users.
Component: Linux kernel POSIX timers
Vulnerability Type: Race condition
CVSS Score: 7.4
Impact: Local privilege escalation
Affected Versions: Android 10 and above
Component: Android Runtime (ART)
Vulnerability Type: Use-after-free (UAF)
Impact: Chrome sandbox escape and privilege escalation
Final Target: Compromise of the system_server process
Google’s Threat Analysis Group (TAG) confirmed both vulnerabilities were exploited in a limited but highly targeted manner—likely as part of mercenary spyware operations.
Read more: Microsoft Patches Critical Vulnerability in Entra ID
In addition to Android-wide flaws, Samsung was affected by CVE-2025-21043—a critical vulnerability in the libimagecodec.quram.so library, developed by Quramsoft.
CVSS Score: 8.8
Type: Out-of-bounds write
Impact: Remote code execution via malicious images
Affected Versions: Android 13, 14, 15, and 16
Reported By: Meta and WhatsApp security teams
This discovery reinforces the idea that the biggest brands in the Android ecosystem are prime targets for attackers looking to develop scalable, reusable exploits.
The Zero-Day vulnerability landscape in 2025 marks a turning point in cybersecurity. Never before have we seen such high-speed exploitation, sophisticated chained attacks, and such a broad range of targets.
From Chrome to SAP enterprise systems, it’s clear that no technology is off-limits when determined attackers are looking for an opening.
Top vendors—Apple, Google, Microsoft, Citrix, and many others—have all suffered Zero-Day attacks this year, confirming that we’re facing systematic, well-coordinated campaigns, not isolated incidents.
This year’s attacks have made several things abundantly clear:
Attackers are moving faster.
Targets are increasingly diverse.
Techniques are more advanced and harder to detect.
To keep up, organizations need:
More sophisticated defense capabilities
Industry collaboration through threat intelligence sharing
A shift toward proactive security architectures designed to withstand even unknown threats
The reality is that no system is 100% impenetrable. This is where incident response comes into play: the ability to react quickly, contain the threat, and minimize the impact can be the difference between a controlled scare and a full-blown business crisis.
At TecnetOne, we help organizations prepare for this scenario with incident response plans, advanced monitoring, and expert cybersecurity support. Our goal is to ensure that—even in the face of a Zero-Day—your organization can recover swiftly and continue operating with confidence.
As we enter the second half of 2025, the message is clear: Zero-Day attacks are no longer a distant possibility—they are a constantly evolving certainty. This demands continuous vigilance, regular updates, and the ongoing strengthening of defenses across all platforms and organizations.