Google has revealed that 75 zero-day vulnerabilities were actively exploited by cyber attackers in 2024. This marks a decrease from 98 zero-days seen in 2023. However, the report also highlights a worrying trend: nearly half of these flaws (44%) targeted enterprise-level security products and tools.
The findings come from Google’s Threat Intelligence Group (GTIG), which shared the full analysis with The Hacker News. While the overall number of exploited zero-days dropped, the focus of attackers has shifted toward enterprise systems, especially those responsible for managing cybersecurity infrastructure.
Enterprise Security Tools Under Heavy Fire
Out of the 75 exploited zero-days, 33 were found in enterprise software and security appliances. Alarmingly, 20 of those specifically affected security and networking tools made by major vendors such as Ivanti, Palo Alto Networks, and Cisco.
“Security and network tools often operate with high privileges and broad access across organizations,” GTIG researchers explained. “This makes them attractive targets for attackers who want to gain fast and efficient access into enterprise networks.”
In total, 18 different enterprise vendors were impacted in 2024. That’s slightly fewer than the 22 affected in 2023 but more than in previous years (17 in 2022 and 12 in 2021). Microsoft was the most heavily targeted vendor, with 26 zero-days exploited in its products. Google followed with 11, Ivanti had 7, and Apple recorded 5 exploited flaws.
Zero-Day Exploits Drop for Browsers and Mobile Devices
One positive trend in 2024 was a significant decline in zero-day attacks against web browsers and mobile devices. According to GTIG, browser-related zero-day exploits fell by about one-third, while mobile zero-days dropped by half compared to 2023.
Still, mobile devices remain vulnerable to complex attack chains. Google noted that around 90% of mobile-focused attacks used exploit chains involving multiple zero-day vulnerabilities.
Some of the affected platforms included:
Microsoft Windows: 22 exploited zero-days
Android: 7 zero-days (3 of them in third-party components)
Chrome: 7 exploited flaws
Apple Safari: 3
Apple iOS: 2
Mozilla Firefox: 1
Who’s Behind These Zero-Day Attacks?
Google was able to link 34 of the 75 exploited zero-days to specific threat actor groups or motivations. These include:
State-sponsored espionage (10 attacks): Led by groups linked to China (5), Russia (1), and South Korea (1)
Commercial surveillance vendors (8 attacks): Known for selling spyware and exploit kits to governments
Financially motivated hackers (5 attacks): Focused on stealing money or credentials
North Korean groups (5 attacks): Mixing espionage and financial goals
Russian threat actors (2 attacks): Carrying out both spying and profit-driven attacks
Well-known vulnerabilities exploited in these campaigns include CVE-2023-46805 and CVE-2024-21887, often tied to nation-state actors.
Case Study: Ukraine Government Website Attack
One notable example highlighted by Google involved an attack on the website of the Diplomatic Academy of Ukraine. In November 2024, attackers injected malicious JavaScript into the site, exploiting CVE-2024-44308 to execute unauthorized code. This was then combined with another vulnerability, CVE-2024-44309, which affects cookie management in WebKit.
The result was a cross-site scripting (XSS) attack that allowed the attackers to steal cookies and hijack sessions, including unauthorized access to login.microsoftonline[.]com, Microsoft’s cloud authentication service.
Firefox and Tor Also Targeted
Another sophisticated attack involved an exploit chain targeting Firefox and Tor browsers. The attackers used CVE-2024-9680 and CVE-2024-49039 to bypass Firefox’s security sandbox and run malware with high-level system privileges. This led to the installation of the RomCom Remote Access Trojan (RAT).
This campaign has been linked to a threat actor known as RomCom, also tracked by other names like Storm-0978, UNC2596, and Tropical Scorpius. Google refers to this actor as CIGAR, a dual-purpose group involved in both espionage and financially driven cybercrime.
Interestingly, these same vulnerabilities were also used by a different hacking group in a separate campaign that compromised a legitimate cryptocurrency news website. Visitors were silently redirected to an attacker-controlled site where the exploit chain was launched.
The Future of Zero-Day Exploits
Despite the slight drop in total zero-day attacks, Google warns that the problem is far from over. In fact, while consumer-targeted software is seeing fewer zero-day exploits due to better defenses, enterprise software is now the new front line.
“Zero-day exploitation continues to grow at a slow but steady pace,” said Casey Charrier, Senior Analyst at GTIG. “We are seeing progress in defending consumer products, but enterprise software remains vulnerable as attackers shift their focus.”
Charrier emphasized that the direction of future attacks will largely depend on how vendors prioritize and invest in proactive security measures.
“Enterprise products need better protections. It’s not just about patching known bugs, but about building in resilience from the start,” Charrier concluded.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Kali Linux Update Failures, New Signing Key Installation Guide