The Google Threat Intelligence Group (GTIG) reported tracking 75 zero-day vulnerabilities exploited in the wild in 2024, down from 98 in 2023 but still above the 63 identified in 2022. The vulnerabilities were divided into two main categories: end-user platforms and products, and enterprise-focused technologies.
Enterprise-specific technologies made up a growing share of overall zero-day exploitation, rising from 37% in 2023 to 44% in 2024. The majority of these involved security and networking software and appliances. GTIG observed that 20 of the 33 zero-days affecting enterprise technologies targeted these products specifically.
End-user platforms, such as browsers, mobile devices, and desktop operating systems, continued to be the most targeted category, accounting for 56% of all tracked zero-days. However, the number of exploited vulnerabilities in browsers and mobile devices decreased significantly. Browser-related zero-days fell from 17 in 2023 to 11 in 2024, while mobile-related dropped from 17 to 9.
Chrome remained the most frequently targeted browser. Exploit chains using multiple zero-days were mainly observed in attacks against mobile devices. On Android, three of the seven zero-day vulnerabilities were found in third-party components.
Desktop operating systems saw increased exploitation in 2024, with 22 zero-days compared to 17 the year prior. Microsoft Windows continued to be a primary target, with zero-day exploits rising from 16 in 2023 to 22 in 2024.
Microsoft was the most frequently affected vendor, with 26 zero-day vulnerabilities. Google followed with 11, while networking and security software provider Ivanti was third with seven flaws. Apple was fourth, with five.
Cyber espionage groups remained the top actors in attributed zero-day exploitation. State-backed actors from China and North Korea, along with customers of commercial surveillance vendors (CSVs), accounted for the majority of these cases. GTIG attributed 34 of the 75 zero-days in 2024, with 53% linked to espionage actors.
The most commonly exploited vulnerability types in 2024 included use-after-free flaws (eight), command injection (eight), and cross-site scripting (six). Exploits were largely used to gain remote code execution or escalate privileges across targeted systems.
Traditional espionage actors were responsible for the largest share of attributed zero-day exploitation in 2024, accounting for nearly 53% (18 vulnerabilities) of the total. Of these, 10 were linked to likely nation-state-sponsored groups, while eight were attributed to commercial surveillance vendors (CSVs).
