Published Sunday, June 21, 2026 at 07:03 AM PT

BREAKING: GOOGLE THREAT INTELLIGENCE β€” 2025 ZERO-DAY EXPLOITATION REVIEW FLAGS ESCALATING ENTERPRISE AND MOBILE THREATS

BLUF: Google Threat Intelligence has published findings from its 2025 zero-day exploitation review, confirming active exploitation of enterprise network technologies and mobile/browser platforms by state-sponsored actors and commercial surveillance vendors (CSVs). Organizations running enterprise edge and network infrastructure should treat unpatched systems as actively targeted. Apply all available vendor patches immediately.

DETAILS

  • Enterprise network technologies are the primary entry point: Google’s review confirms that just over half of zero-day exploitation attributed to state-sponsored threat groups targeted enterprise-facing network technologies β€” consistent with a sustained, strategic focus on perimeter and infrastructure devices as initial access vectors.
  • Commercial surveillance vendors are actively evolving mobile exploit chains: CSVs are adapting existing exploit chains to defeat newer mobile security boundaries and browser-level protections, indicating that recent platform hardening efforts have not eliminated the threat β€” only raised the cost of exploitation.
  • Multiple intrusions have been linked to these exploitation patterns. (Note: Full attribution details and specific vendor/product names are not confirmed in the available excerpt β€” additional context pending full report publication.)
  • Zero-day exploitation in 2025 is ongoing, not retrospective: The framing of this report as a mid-cycle review suggests Google is tracking active campaigns, not solely historical incidents.

IMPACT

  • Who is affected: Organizations operating enterprise network infrastructure (VPNs, firewalls, network appliances), mobile device users in high-risk environments, and any organization relying on browser-based workflows.
  • Scope: Global. State-sponsored actors and CSVs operate across geographies and sectors. High-value targets β€” government, critical infrastructure, financial, and technology sectors β€” face elevated risk.
  • Compounding risk: Related reporting this cycle covers NGINX RCE vulnerabilities (F5-patched), Windows Administrator Protection bypasses, and OAuth token abuse β€” suggesting a broad, multi-vector threat environment in parallel.
  1. Patch enterprise network appliances immediately β€” prioritize internet-facing devices including VPNs, firewalls, and load balancers. Cross-reference your asset inventory against any CVEs cited in the full Google Threat Intelligence report upon release.
  2. Audit mobile device management (MDM) policies β€” ensure endpoint detection is current and browser isolation controls are enforced for high-risk users.
  3. Review browser security configurations β€” apply latest patches for Chrome and other Chromium-based browsers; monitor for CSV-linked indicators of compromise.
  4. Monitor for the full Google Threat Intelligence report β€” the available excerpt is partial. Full CVE lists, affected vendors, and attribution details are expected in the complete publication.
  5. Treat unpatched perimeter devices as compromised β€” conduct threat hunting on enterprise edge infrastructure if patches have not been applied within the last 30 days.

SOURCES

  • Primary: Google Threat Intelligence β€” “Look What You Made Us Patch: 2025 Zero-Days in Review” (partial excerpt)
  • Supporting context: F5/NGINX RCE patch advisory (The Hacker News); Google Project Zero β€” Windows Administrator Protection bypass research

⚠️ UNCERTAINTY FLAG: The triggering excerpt is a partial publication. Specific CVE identifiers, named vendors, and full attribution details have NOT been confirmed in available source material. This alert will require update upon full report release.