Seventy-five zero-day vulnerabilities were actively exploited in 2024 — down from 98 in 2023, but still higher than the 63 reported in 2022. These vulnerabilities were split between consumer-facing platforms like browsers and mobile devices, and enterprise-level technologies such as security software and networking appliances.
This was one of the findings of Google Threat Intelligence Group’s (GTIG’s) annual report on zero-day vulnerabilities exploited in the wild. It revealed an interesting shift in attacker priorities despite a drop in total cases.
“While individual year counts have fluctuated, the average trendline indicates that the rate of zero-day exploitation continues to grow at a slow but steady pace,” the report said.
More Focus on Enterprise Tech
One of the most marked shifts was the increased targeting of enterprise technologies. In 2024, 44% of all zero-days exploited (33 out of 75) were aimed at enterprise products — up from 37% the previous year. More than 60% of these were vulnerabilities in security and networking software and applications from leading vendors.
The report explained that these types of products are valuable to malicious actors because gaining control over them can offer wide-reaching access across an organization’s network.
Drop in Browser and Mobile Attacks
Attacks targeting browsers fell by roughly a third, while mobile zero-days were cut in half compared to 2023. Despite the decline, Google Chrome remained the most commonly targeted browser.
Most complex exploit chains, which string together multiple zero-days, were used against mobile devices. When it came to Android, attacks often relied on vulnerabilities in third-party software components.
“Vendor investments in exploit mitigations are having a clear impact on where threat actors are able to find success. We are seeing notable decreases in zero-day exploitation of some historically popular targets such as browsers and mobile operating systems,” the report said.
Meanwhile, desktop operating systems saw an uptick in exploitation. GTIG recorded 22 zero-days targeting these systems in 2024, with Microsoft Windows making up the lion’s share.
A Focus on Security and Networking Products
The report also noted that zero-day vulnerabilities in security software and appliances were a high-value target in 2024. They identified 20 security and networking vulnerabilities, which were more than 60% of all zero-day exploitation of enterprise technologies.
Exploitation of these products, compared to end-user technologies, can more effectively and efficiently lead to extensive system and network compromises, and we anticipate adversaries will continue to increase their focus on these technologies.
Who’s Behind the Attacks?
Actors conducting cyber espionage are still the main culprits behind attributed zero-day exploitation. “Between government-backed groups and customers of commercial surveillance vendors (CSVs), actors conducting cyber espionage operations accounted for over 50% of the vulnerabilities we could attribute in 2024,” the researchers said.
“People’s Republic of China (PRC)-backed groups exploited five zero-days, and customers of CSVs exploited eight, continuing their collective leading role in zero-day exploitation. For the first year ever, we also attributed the exploitation of the same volume of 2024 zero-days (five) to North Korean actors mixing espionage and financially motivated operations as we did to PRC-backed groups.”
When it came to the types of flaws that were exploited, the three most common were use-after-free errors, command injection, and cross-site scripting (XSS). Command and code injection bugs were especially prevalent in attacks on enterprise networking and security tools.
Designed for a Reactive Approach
Evan Dornbush, CEO of Desired Effect and a former NSA cybersecurity expert, says to some degree, we have to assume that these numbers are conservative, given how many successful attacks go unreported.
“That said, zero-day attacks are indicative of how the cyber tools and practices available to defenders are inherently designed for a reactive approach to executing a security strategy. The lack of interoperability or a single pane of glass, the need to process massive amounts of data,
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.