Rising zero-day exploitation across end-user and enterprise products in 2025
Target Trend
Summary
Hide ▲
Show ▼
Zero-day exploitation stayed elevated in 2025, with 90 actively exploited flaws spread across end-user platforms and enterprise products. That matters because zero-days can deliver initial access, remote code execution, or privilege escalation before defenders can patch. The heaviest enterprise pressure fell on security appliances, networking infrastructure, VPNs, and virtualization platforms. The pattern shows broad, sustained exploitation pressure rather than a single-vendor issue.
Related Happenings
Pwn2Own Berlin 2026 multi-product zero-days privilege-escalation flaw
Vulnerability
First: 14.05.2026 21:53
Last: 14.05.2026 21:53
Sources 1
About this happening:
**Pwn2Own Berlin 2026** opened with **24 unique zero-days** demonstrated against **fully patched products**, creating immediate exposure across browser, OS, virtualization, enterp...
Pwn2Own Berlin 2026 multi-product zero-days privilege-escalation flaw
VulnerabilityAbout this happening: **Pwn2Own Berlin 2026** opened with **24 unique zero-days** demonstrated against **fully patched products**, creating immediate exposure across browser, OS, virtualization, enterp...
Windows zero-day exploitation wave
Exploitation Wave
First: 17.04.2026 09:14
Last: 17.04.2026 09:14
Sources 1
About this happening:
**BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....
Windows zero-day exploitation wave
Exploitation WaveAbout this happening: **BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....
Latest development: 23.04.2026 14:05
CISA added BlueHammer, tracked as CVE-2026-33825, to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch Microsoft Defender on Windows systems within two weeks, until May 7. The federal directive targets ongoing zero-day abuse of the flaw on U.S. government systems.
Microsoft Defender RedSun LPE zero-day privilege-escalation flaw
Vulnerability
First: 16.04.2026 23:19
Last: 16.04.2026 23:19
Sources 1
About this happening:
A public **RedSun** proof-of-concept exposed a **Microsoft Defender** **local privilege escalation** zero-day that can reach **SYSTEM** on **Windows 10**, **Windows 11**, and **Wi...
Microsoft Defender RedSun LPE zero-day privilege-escalation flaw
VulnerabilityAbout this happening: A public **RedSun** proof-of-concept exposed a **Microsoft Defender** **local privilege escalation** zero-day that can reach **SYSTEM** on **Windows 10**, **Windows 11**, and **Wi...
Latest development: 17.04.2026 16:21
Huntress reports that threat actors are exploiting Microsoft Defender flaws, including RedSun, to gain elevated privileges on compromised systems, and says it isolated the affected organization to prevent further post-exploitation.
Dragon Boss Solutions signed adware campaign
Campaign
First: 15.04.2026 20:59
Last: 15.04.2026 20:59
Sources 1
About this happening:
The **Dragon Boss Solutions** campaign used **signed adware installers** to push **SYSTEM-privileged** payloads that disabled antivirus and blocked reinstalls, creating a broad fo...
Dragon Boss Solutions signed adware campaign
CampaignAbout this happening: The **Dragon Boss Solutions** campaign used **signed adware installers** to push **SYSTEM-privileged** payloads that disabled antivirus and blocked reinstalls, creating a broad fo...
Latest development: 16.04.2026 22:07
Dragon Boss Solutions LLC pushed a malicious Advanced Installer update in the early morning hours of March 22, 2025 that disabled ESET, McAfee, Kaspersky, and Malwarebytes detections, established persistence via scheduled tasks, and added Windows Defender exclusions, while Huntress sinkholed the campaign's primary update domain to limit further abuse.
Microsoft Zero Day Quest $2.3M bounty payout
Commercial Activity
First: 15.04.2026 19:20
Last: 15.04.2026 19:20
Sources 1
About this happening:
Microsoft **awarded $2.3 million** to researchers through **Zero Day Quest**, turning the contest into a major payout event for **cloud and AI security** testing. The live event a...
Microsoft Zero Day Quest $2.3M bounty payout
Commercial ActivityAbout this happening: Microsoft **awarded $2.3 million** to researchers through **Zero Day Quest**, turning the contest into a major payout event for **cloud and AI security** testing. The live event a...
Timeline
-
05.03.2026 17:03 2 articles · 2mo ago
GTIG discloses elevated zero-day exploitation in 2025
Initial DisclosureGoogle Threat Intelligence Group reported that 90 zero-day vulnerabilities were actively exploited throughout 2025, with 47 targeting end-user platforms and 43 targeting enterprise products. The trend centered on enterprise software and appliances, especially security appliances, networking infrastructure, VPNs, and virtualization platforms, while desktop OSs, mobile platforms, and web browsers were also affected; Microsoft was the top targeted vendor, commercial spyware vendors were the largest users of undocumented flaws, and Google recommended reducing attack surfaces, limiting privilege exposure, monitoring for anomalous behavior, and patching rapidly.
Show sources
- Google says 90 zero-days were exploited in attacks last year — www.bleepingcomputer.com — 05.03.2026 17:03
- Google says 90 zero-days were exploited in attacks last year — www.bleepingcomputer.com — 05.03.2026 17:03