Google’s Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in the wild in 2025, with 43 of them — nearly half — targeting enterprise networking and security infrastructure. This represents an all-time high for enterprise-focused zero-days and a clear signal that the devices network engineers manage daily are now the primary attack surface.

Key Takeaway: Network appliances like firewalls, VPN concentrators, and SD-WAN controllers have replaced endpoints as the top zero-day target. If you manage Cisco ASA, FTD, or any edge device, this report is your wake-up call.

How Many Zero-Days Were Exploited in 2025?

According to Google’s GTIG report published on March 5, 2026, attackers exploited 90 zero-day vulnerabilities throughout 2025. That’s up from 78 in 2024, and the trend line over the past four years shows zero-day exploitation has settled at a permanently elevated baseline — far above the pre-2021 levels of 25-30 per year.

Here’s the year-over-year breakdown:

YearZero-Days ExploitedEnterprise-TargetedEnterprise %
202263~25~40%
2023100~40~40%
2024783444%
2025904348%

The steady climb in enterprise targeting isn’t random. Threat actors are making a calculated pivot, and as SecurityWeek reported, this shift reflects the high value of enterprise infrastructure as both an initial access vector and a persistence mechanism.

Why Are Attackers Targeting Network Appliances?

The answer is straightforward: network appliances sit at trust boundaries and often run with elevated privileges. A compromised firewall or VPN gateway gives attackers:

  • Direct access to internal networks without needing to phish an employee
  • Persistence that survives endpoint EDR detection
  • Visibility into all traffic flowing through the device
  • Lateral movement capabilities across network segments

Google’s report specifically calls out “security and networking devices” as the fastest-growing zero-day target category. According to CSO Online, attackers are gravitating toward platforms they believe will be “more poorly maintained and less secured” — and enterprise appliances often fall into this category because patching requires maintenance windows and change control.

The irony is brutal: the very devices deployed to protect networks are now the primary attack vector.

Who’s Behind These Attacks?

Google attributed 42 of the 90 zero-days to specific threat actors, and the breakdown reveals two dominant groups:

Commercial Surveillance Vendors (CSVs) — 15 Zero-Days

For the first time, commercial spyware vendors topped the attribution chart. These companies sell exploit capabilities to government clients, and they burned through 15 zero-days in 2025 (with three more “likely CSV”). This is the industrialization of zero-day exploitation.

China-Linked Espionage Groups — 12 Zero-Days

State-sponsored groups like UNC5221 and UNC3886 continued their decade-long focus on security appliances and edge devices. Google noted these groups “continued to focus heavily on security appliances and edge devices to maintain persistent access to strategic targets.”

The remaining attributions include other nation-state actors and financially motivated groups, but the pattern is clear: sophisticated attackers are investing heavily in enterprise infrastructure exploitation.

What Does This Mean for Cisco Environments?

Cisco accounted for 4 zero-days in Google’s 2025 tracking, but the broader picture is even more concerning. Throughout 2025, Cisco faced a barrage of critical vulnerabilities:

Cisco ASA/FTD Zero-Days (September 2025)

Three critical vulnerabilities hit Cisco firewalls simultaneously:

  • CVE-2025-20333 (CVSS 9.9) — Buffer overflow in the VPN web server allowing remote code execution
  • CVE-2025-20362 (CVSS 6.5) — Authentication bypass exposing configuration data
  • CVE-2025-20363 (CVSS 9.0) — Remote code execution across ASA, FTD, IOS, IOS XE, and IOS XR

All three were actively exploited in the wild before patches were available, as documented by Palo Alto’s Unit 42 and flagged by CISA’s Emergency Directive ED-25-03.

The 48-Vulnerability Patch Dump

Earlier in 2025, Cisco released patches for 48 vulnerabilities across ASA, FMC, and FTD — including two critical flaws in Firepower Management Center that allowed remote root access.

SD-WAN Exploitation

Cisco also disclosed actively exploited SD-WAN vulnerabilities in Catalyst SD-WAN, with critical and high-severity issues enabling system access and root privilege escalation.

How Should Network Engineers Respond?

The days of “set it and forget it” for network infrastructure are over. Here’s what the Google report means for your operational posture:

1. Treat Network Appliances Like Endpoints

! Enable syslog to SIEM for all management plane events
logging host 10.1.1.100 transport tcp port 6514
logging trap informational
logging source-interface Loopback0

! Restrict management access
access-list 99 permit 10.0.0.0 0.0.0.255
line vty 0 15
 access-class 99 in
 transport input ssh

Every firewall, router, and switch should feed logs to your SIEM. If you’re not monitoring management plane activity, you’re blind to the exact attacks Google is tracking.

2. Implement Aggressive Patch Cycles

The median time from zero-day disclosure to mass exploitation is shrinking. For the Cisco ASA CVEs, Zscaler reported exploitation ramped up within days. You need:

  • Emergency patch windows for CVSS 9.0+ vulnerabilities (24-48 hours, not next quarter)
  • Automated vulnerability scanning with tools like Qualys or Tenable for network appliances
  • CISA KEV catalog monitoring — if it’s on the list, patch immediately

3. Segment Your Management Plane

! Dedicated management VRF
vrf definition MGMT
 address-family ipv4
 exit-address-family

interface GigabitEthernet0/0
 vrf forwarding MGMT
 ip address 10.255.0.1 255.255.255.0
 no shutdown

Management interfaces should never be reachable from the data plane or the internet. This single architectural decision would have mitigated several of the 2025 zero-days.

4. Deploy Defense-in-Depth at the Edge

Don’t rely on a single firewall vendor. If your perimeter is all ASA/FTD and a zero-day drops, your entire security posture collapses. Consider:

  • Layered inspection (different vendors at different trust boundaries)
  • Network Detection and Response (NDR) monitoring traffic independently of inline devices
  • Zero Trust architecture that doesn’t trust the network perimeter implicitly

What This Means for CCIE Security Candidates

The 2025 zero-day landscape validates exactly what the CCIE Security v6.1 lab tests:

  • Network segmentation — isolating management, data, and control planes
  • Incident response — detecting compromise on network appliances
  • Hardening — reducing attack surface on ASA, FTD, ISE, and IOS devices
  • Defense-in-depth — the lab tests layered security for a reason

If you’re studying for the CCIE Security lab, Google’s report is your reading list for why these topics matter. Every hardening technique you learn isn’t academic — it’s directly countering the exploit chains that burned 43 enterprise zero-days in a single year.

Frequently Asked Questions

How many zero-day vulnerabilities were exploited in 2025?

Google’s Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in the wild in 2025, up from 78 in 2024 and 100 in 2023. This continues the elevated baseline established since 2021.

What percentage of 2025 zero-days targeted enterprise technology?

Nearly 48% of all zero-days in 2025 targeted enterprise technologies including firewalls, VPN gateways, and SD-WAN appliances — an all-time high according to Google GTIG.

Which vendors had the most zero-day vulnerabilities in 2025?

Microsoft led with 25 zero-days, followed by Google (11), Apple (8), and Cisco (4). Enterprise networking vendors collectively accounted for a significant share of the total.

How can network engineers protect against zero-day attacks?

Focus on management plane segmentation, aggressive patching (24-48 hours for critical CVEs), centralized logging to SIEM, and defense-in-depth with multiple vendors. Monitor CISA’s Known Exploited Vulnerabilities catalog daily.

How do zero-day attacks affect CCIE Security preparation?

Zero-day trends reinforce the importance of defense-in-depth, network segmentation, and rapid incident response — all core CCIE Security v6.1 lab topics. Understanding real-world exploit chains makes you a stronger candidate and a better engineer.

The Google GTIG report isn’t just a security research paper — it’s a roadmap showing where attackers are headed. They’re coming for your network appliances. The question is whether you’ll be ready.

Ready to build enterprise-grade security skills that matter? Contact us on Telegram @phil66xx for a free CCIE Security assessment.