Google: 75 zero-days seen in 2024 as nations, spyware vendors continue exploitation

The number of unreported bugs exploited by criminals, nation states and commercial vendors fell in 2024, but hackers are increasingly targeting vulnerabilities in security software and appliances to gain greater access to victim systems.

Google’s Threat Intelligence team published its annual zero-day report on Tuesday, finding that 75 vulnerabilities were exploited in the wild in 2024, down from 98 in the prior year. 

Google, which defines zero-days as vulnerabilities exploited in the wild before a patch is made publicly available, said cyber espionage was still the leading motivation behind the exploitation of bugs. 

The report divides the 75 bugs into two buckets: those impacting end-user platforms like mobile devices or browsers and others such as security software and appliances. 

Google lauded tech companies for making improvements that did force hackers to try harder to discover zero-day vulnerabilities. The researchers found that vendor investments are “having a clear impact on where threat actors are able to find success” and said they are seeing “notable decreases in zero-day exploitation of some historically popular targets such as browsers and mobile operating systems.”

The number of zero-day bugs for browsers fell by a third, while the number of bugs for mobile devices fell by about half. 

The numbers

Hackers working on behalf of China, Russia and North Korea continue to lead the way in exploiting zero-days, alongside commercial surveillance vendors (CSVs) that sell vulnerabilities to other countries. When combined, both groups account for more than 50% of the zero-day vulnerabilities that could be attributed in 2024. 

Chinese and North Korean actors exploited five zero-days each while customers of CSVs exploited eight. 

Five of the bugs were attributed to financially motivated hackers, including the high-profile vulnerability impacting the Cleo file transfer tool. The researchers noted that the same actors, which they call FIN11, exploited zero-days in file transfer tools in 2021 and 2023 as well.

“Despite the otherwise varied cast of financially motivated threat actors exploiting zero-days, FIN11 has consistently dedicated the resources and demonstrated the expertise to identify, or acquire, and exploit these vulnerabilities from multiple different vendors,” they said.

Targeting security devices

Google cautioned that attackers are now focusing their efforts specifically on security and networking products.

“Exploitation of these products, compared to end-user technologies, can more effectively and efficiently lead to extensive system and network compromises, and we anticipate adversaries will continue to increase their focus on these technologies,” they explained in a report. 

There were a total of 33 zero-days impacting enterprise software and appliances in 2024, which is lower than 2023 but represented a higher proportion of the total number of new bugs in 2024. 

Products from Ivanti, Palo Alto Networks and Cisco were targeted the most, likely because these tools are “designed to connect widespread systems and devices with high permissions required to manage the products and their services.”

Endpoint detection and response (EDR) tools do not work on these devices, making them a ripe target for hackers seeking to bypass monitoring systems. 

Almost 30% of the attributed zero-days were used by Chinese actors, many of which targeted Ivanti appliances. 

The Google researchers said they anticipate that zero-day exploitation will continue to rise — with big vendors facing attacks due to the ubiquity of operating systems and browsers.

“Phones and browsers will almost certainly remain popular targets, although enterprise software and appliances will likely see a continued rise in zero-day exploitation,” they said.

But they noted that the same types of vulnerabilities have been exploited over time, indicating “patterns in what weaknesses attackers seek out and find most beneficial to exploit.”

“Continued existence and exploitation of similar issues makes zero-days easier; threat actors know what to look for and where exploitable weaknesses are most pervasive.”

They urged vendors to focus on measures that will limit “gaps in configurations and architectural decisions” that would allow for access for “administrator access and/or widespread reach across systems and networks.”