2025 was a breakout year for zero-day exploits

Zero-day exploits were once niche threats reserved for high-stakes espionage. However, that idea no longer holds true, and attackers are now increasingly able to weaponize them with relative ease to break into corporate networks.

While the total volume of attacks has seen an unprecedented increase, the speed of these attacks is the defining metric. The 2025 H1 Threat Review report from ForeScout Vedere Labs states that zero-day exploits increased 46% in the first half of 2025 alone.

Security teams once measured the gap between a vulnerability’s disclosure and its weaponization in days. Today, that window has collapsed to mere hours.

But the numbers tell only part of the story. Experts we spoke to argue that this spike is not a temporary anomaly, but the predictable result of a fundamental shift in the economics, technology, and execution of modern cyberattacks.

A perfect storm

Morey Haber, Chief Security Advisor at BeyondTrust, explains that "the surge in zero-day exploits in 2025 reflects a perfect storm of an evolving threat landscape, hostile opportunities, and the technological shift to AI and dependencies on the supply chain."

According to Haber, software complexity continues to grow faster than secure-by-design engineering practices, creating flaws that are difficult to detect during development and nearly impossible to validate through traditional testing.

At the same time, the commercial market for zero-days has exploded. Vulnerabilities that enable privilege escalation, identity compromise, or authentication bypass are now in high demand from both criminal syndicates and nation-state buyers, who seek to gain leverage across cloud services and operational technology.

“Nation-state buyers now compete directly with criminal syndicates for vulnerabilities that offer leverage across cloud services, identity platforms, and operational technology,” Haber explains.

AI has accelerated every aspect of this trend. Haber notes that automated fuzzing, exploit identification, and proof-of-concept exploit generation have shortened the discovery window and made high-value flaws easier to weaponize. He adds that vulnerabilities that once required expertise can now be discovered and refined by non-experts.

“The overall outcome is the measurable increase in zero-day frequency and the way they are identified and implemented. Typically, maliciously,” he said.

Meanwhile, the attack surface is also expanding relentlessly. Ilia Dafchev, Senior Security Researcher at Acronis TRU, identifies "the growing software footprint [with] more devices, more edge/IoT gear, more legacy systems, which expands the attack surface correspondingly" as a key factor responsible for the surge in zero-day exploits.

According to Dafchev, attackers have expanded their scope beyond browsers and desktops to non-traditional devices, such as IP cameras and OT equipment.

“These devices are especially attractive because they can function as stealthy footholds enabling lateral movement across networks; a pattern increasingly observed in ransomware and targeted attacks,” he said.

Dafchev also points out that “long-standing flaws in widely used components (file-systems, drivers, network stacks) continue to be discovered, meaning legacy code remains a rich hunting ground for zero-day finders.”

He also notes that “geopolitical tensions likely amplify demand for zero-days, since state-sponsored actors and espionage-motivated groups have strong incentives to find and stockpile novel vulnerabilities.”

Industrialized exploitation

Zero-days have not only become more common, but they’re being used differently as well.

According to Haber, attackers have shifted away from targeted attacks toward what he describes as industrialized exploitation.

“In 2025, adversaries increasingly chain zero days with supply chain attacks, identity compromise, lateral movement, and privilege escalation,” he explained.

The zero-day itself often serves just as the initial key.

“Instead of relying on a single flaw, they daisy chain attack vectors where the zero day or identity compromise acts as the initial key that unlocks a larger path to privileged access,” Haber continued.

Combined with rapid automation, breach timelines have reduced dramatically. Dafchev notes that “some vulnerabilities are weaponized and exploited within hours of public disclosure, especially for high-value systems or edge devices.”

Unfortunately, defenders haven’t been able to keep up. So while initial breach times have shrunk to minutes, Haber says, the overall dwell times have increased to months.

This changes the game for defenders, who Haber suggests must focus on containing breaches before they cascade, using models like zero trust.

He argues that "defenders must assume exploitation can occur nearly instantaneously and only compensating controls at the identity, endpoint, application, and network layers can slow the threat actor down."

He adds that "least privilege, robust segmentation, and continuous identity verification become essential to prevent lateral movement and the spread of the breach."

Dafchev also warns that the speed of weaponizing a zero-day vulnerability “compresses the window for patching or mitigation to almost zero, demanding more proactive, continuous security practices instead of periodic patch-driven cycles."

Like Haber, he too agrees that "defenders must broaden their focus beyond just patching, [which means] containment, network segmentation and behavioral detection become much more critical."

Visibility paradox

There is some good news, though. Visibility into zero-day exploitation has improved compared to the last few years. Telemetry sharing, coordinated disclosure, and vendor reporting have all matured, but both experts warn that these gains lag far behind attacker adaptation.

“Visibility has improved, but not enough to offset the rising sophistication of modern zero-day attack vectors,” says Haber.

The most dangerous blind spot, he argues, is identity.

“Zero-day exploitation often presents as legitimate credentials accessing sensitive resources,” he explains, arguing that without improvements in logging, behavioral baselines, and privilege controls, threat actors will continue to operate invisibly.

He also points out that blind spots also persist across supply-chain components, embedded firmware, unmanaged devices, and shadow SaaS, which are all areas that routinely fall outside traditional monitoring programs.

Dafchev agrees, particularly when it comes to non-traditional systems. He says IoT, edge, OT, legacy, and embedded devices often lack standard monitoring, and their patching may be slow or nonexistent.

“As a result, many attacks involving zero-days may go undetected for long periods.”

Speed again plays a role. When exploitation begins within hours, defenders often only learn about a zero-day after attackers have already established persistence. Dafchev concludes that "until proactive or behavior-based detection spreads further, especially in IoT/OT, many zero-day campaigns will remain under the radar."

Taken together, both experts point to the same conclusion: the spike in zero-day exploitation in 2025 is not a temporary surge. It’s a signal that long-standing assumptions about vulnerability management no longer hold.

As exploitation accelerates and blind spots widen, organizations must assume unknown vulnerabilities will be abused and design defenses accordingly.

---

Unlock more exclusive Cybernews content on YouTube.