TL;DR

  • Google tracked 90 zero-day vulnerabilities exploited in the wild in 2025, up from 78 in 2024
  • 48% of all zero-day exploits targeted enterprise software and appliances — the highest proportion ever recorded
  • Browser exploitation is declining (less than 10% of total) while enterprise edge devices (routers, firewalls, VPN appliances) account for half of enterprise-targeted zero-days
  • Cisco and Fortinet were the most frequently targeted networking vendors; Ivanti and VMware faced ongoing VPN and virtualisation exploits
  • Commercial surveillance vendors now account for more zero-day exploitation than traditional state-backed espionage groups

The Shift: Attackers Are Moving From Browsers to Enterprise Systems

For years, browser zero-days dominated the threat landscape. Attackers targeted Chrome, Firefox, Safari, and Edge as the primary entry point into victim networks. But Google's 2025 Threat Intelligence Group data reveals a fundamental shift:​‌‌​​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​​‌‌‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌‌​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Browser-related zero-days fe

ll to less than 10% of all tracked exploits [1].

Instead, attackers are focusing on enterprise technology stacks:​‌‌​​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​​‌‌‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌‌​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

  • Enterprise software and appliances: 43 zero-days (48% of total)
  • Operating systems (desktop and mobile): 44 zero-days (44% of total)
  • Browsers: Less than 9 zero-days (<10% of total)

This represents a strategic pivot by threat actors. Browsers have hardened significantly, with rapid patching cycles, exploit mitigations, and sandboxing. Enterprise systems — particularly edge devices like routers, firewalls, and VPN appliances — often run for years without updates, have limited visibility for defenders, and sit at the perimeter of corporate networks [1].

For SMBs, this is critical intelligence: the assumption that "browsers are the attack surface" is now outdated. Your firewalls, VPN concentrators, and networking appliances are the new frontline.

Related: Cisco Just Patched 48 Firewall Flaws — Including 2 Perfect 10s. Here's What Every Business Running Cisco Needs to Do Today.

The Enterprise Edge: Why Attackers Love Your Perimeter

Google identified that security and networking appliances accounted for 21 zero-day vulnerabilities in 2025 — roughly half of all enterprise-targeted zero-days [1].

Why edge devices?

  • Limited visibility — Many routers, switches, and security appliances don't run endpoint detection and response (EDR) tools. Anomalies are hard to spot, and forensic evidence is scarce after compromise
  • Perimeter positioning — Edge devices sit at the network boundary, making them ideal beachheads for lateral movement into internal systems
  • Long deployment cycles — Firewalls and VPN appliances often run for 5-7 years without replacement. Firmware updates are rare, and security teams rarely touch them
  • Privileged access — Compromising a firewall or VPN appliance often gives attackers visibility into all traffic traversing the network, including encrypted sessions they can intercept and decrypt

Google explicitly flagged limited visibility on edge devices as a recurring problem for defenders [1]. The 14 zero-days affecting edge devices in 2025 likely understates broader activity — these are just the exploits Google detected and disclosed.

The Vendor Landscape: Cisco, Fortinet, Ivanti, VMware

Google's report calls out specific vendors facing repeated exploitation:

  • Cisco and Fortinet — Most commonly targeted networking and security vendors, with zero-days affecting firewall, SD-WAN, and routing platforms
  • Ivanti and VMware — Ongoing exploitation tied to VPN and virtualisation deployments, particularly remote access appliances that became critical during remote work shifts

This isn't hypothetical. Recent months have seen:

  • Cisco Catalyst SD-WAN Manager vulnerabilities (CVE-2026-20128 and CVE-2026-20122) confirmed as actively exploited in February 2026 [2]
  • Fortinet multiple zero-days in 2025 affecting firewall and VPN products, with exploit code circulating in criminal forums
  • Ivanti VPN appliances hit by multiple zero-day chains, with mass exploitation following public disclosure

For SMBs running these vendors (and many do — Cisco and Fortinet have enormous SMB market share), this is an urgent wake-up call: default deployments are insufficient. Edge devices must be treated as high-value assets, not "set and forget" infrastructure.

Related: AI Let One Hacker Breach 600 Firewalls in 5 Weeks. Here's the 3-Fix Checklist That Would Have Stopped Every Single One.

The Commercial Surveillance Boom

One of the most striking findings in Google's report: commercial surveillance vendors now account for more zero-day exploitation than traditional state-backed cyber-espionage groups [1].

This represents a broadening of access to zero-day capabilities:

  • Historical model — Zero-day exploitation was the domain of nation-states (Russia, China, Iran, North Korea) with sophisticated cyber operations
  • Current reality — Commercial surveillance vendors sell zero-day exploit capabilities to anyone who can pay, including private investigators, authoritarian regimes, and corporate espionage actors

This democratisation of zero-day capability means threat models must expand. It's not just "APT groups" anymore — it's any actor with sufficient budget and motive.

Among state-backed actors, China-linked espionage groups remain the most prolific zero-day users, with Google attributing at least 10 zero-days to groups including UNC5221 and UNC3886 [1]. These groups continue to focus heavily on security appliances and edge devices.

The 1% Rule: Why You Can't Patch Everything

Google tracked 90 zero-days in 2025. Across all vendors, CISA published advisories for over 20,000 CVEs in the same period [3].

The math is brutal: even if you had perfect vulnerability scanning, 100% patch compliance, and unlimited resources, you cannot address every CVE. And you shouldn't try.

The 1% Rule (from lilMONSTER's previous coverage): focus on the 1% of vulnerabilities that are actively exploited in the wild. Everything else is noise.

Google's data reinforces this: 90 zero-days matter. The other 19,910 CVEs? They're potential issues, not active threats. Prioritise based on exploitation intelligence, not CVSS scores alone.

Related: Stop Patching Everything: The 1% Rule That Keeps SMBs Secure Without Burning Out

The AI Acceleration: What's Coming in 2026

Looking ahead, Google forecasts that AI will accelerate the contest between attackers and defenders by speeding up:

  • Reconnaissance — Automated discovery of vulnerable systems and exposed services
  • Vulnerability discovery — AI-assisted fuzzing and code analysis finding flaws faster than human researchers
  • Exploit development — AI generating exploit code for newly discovered vulnerabilities, shrinking the window between disclosure and weaponisation

But the same AI tools enable defenders:

  • Proactive discovery — AI agents identifying previously unknown security flaws before exploitation
  • Automated patching — Intelligent systems applying updates with reduced downtime and testing overhead
  • Anomaly detection — AI-based monitoring spotting zero-day exploitation via behaviour patterns, even if the vulnerability itself is unknown

Google notes: "AI agents can proactively discover and help patch previously unknown security flaws, enabling vendors to neutralize vulnerabilities before exploitation" [1].

For SMBs, this means AI security tools are transitioning from "nice to have" to baseline infrastructure. The cost of AI-powered security is falling below the cost of manual vulnerability management — and the speed advantage is becoming decisive.

The lilMONSTER Framework: Protecting Against Zero-Days

Zero-days are by definition unpatchable when they're first discovered. Defence requires layered controls that reduce exploitability and limit damage:

1. Attack Surface Reduction

If a vulnerability exists but can't be reached, it can't be exploited.

Surface reduction tactics:

  • Disable unused services — Every running service on an edge device is a potential attack vector. Turn off what you don't need
  • Network segmentation — Isolate management interfaces from untrusted networks. If an edge device is compromised, segmentation limits lateral movement
  • Least privilege access — Restrict administrative access to edge devices. Zero-day exploitation often requires authenticated access or misconfiguration

According to CISA's Known Exploited Vulnerabilities Catalog, over 60% of exploited vulnerabilities in enterprise appliances are reachable via exposed management interfaces [3]. Closing these interfaces stops the majority of attacks.

2. Compromise Detection: Assume Breach

Since zero-days are unpatchable, assume some will eventually be used against you. Focus on detecting the compromise, not preventing the vulnerability.

Detection essentials:

  • Network traffic analysis — Monitor for unusual data flows, large-scale exfiltration, and connections to known malicious infrastructure
  • Endpoint detection and response (EDR) — Deploy on all systems, including management jump-hosts used to access edge devices
  • Log aggregation and SIEM — Centralise logs from firewalls, VPN appliances, and routers. Baseline normal behaviour and alert on deviations

Google's report notes that edge devices have limited visibility for defenders [1]. Compensate by adding external monitoring: network taps, span ports, and cloud-based traffic analysis that doesn't rely on device-side logging.

3. Rapid Patching: The Exploited-Only Queue

Google tracked 90 zero-days. CISA's Known Exploited Vulnerabilities Catalog identifies the subset under active exploitation [3].

Prioritisation approach:

  • Tier 1: CISA KEV catalog — exploited vulnerabilities, patch within 48 hours for edge devices, 14 days for internal systems
  • Tier 2: Vendor security advisories — vendor-confirmed critical flaws, patch within 30 days
  • Tier 3: All other CVEs — patch as part of scheduled maintenance, no emergency response

This approach ensures limited resources focus on real threats, not theoretical risks.

4. Vendor Risk Management: The appliances You Buy

If your business runs Cisco firewalls, Fortinet VPNs, or Ivanti remote access gateways, you're inheriting their vulnerability exposure.

Vendor due diligence:

  • Security track record — Does the vendor have a history of zero-day exploits? How quickly do they patch?
  • Transparency — Does the vendor publish detailed security advisories, or downplay severity?
  • Exploit mitigation — Does the product include security-by-design features: exploit mitigation technologies, secure defaults, and reduced attack surface?

Google explicitly identifies Cisco, Fortinet, Ivanti, and VMware as frequently targeted vendors [1]. This doesn't mean "don't buy them" — it means "deploy them with additional controls."

Related: Vendor Breaches Are Now 25% of All Data Breaches: What SMBs Must Do Today

The Business Case: Zero-Day Defence as Competitive Advantage

Zero-day protection is not just security — it's business resilience. Consider the downstream impacts:

  • Customer trust — Demonstrating proactive security posture differentiates in competitive markets
  • Regulatory readiness — GDPR, APRA, and other regulations require "appropriate" security measures. Zero-day defence is increasingly interpreted as mandatory
  • Supply chain assurance — Enterprise customers audit vendor security postures. Zero-day policies and patch discipline are standard RFP requirements

According to Gartner, by 2026, 75% of organisations will treat zero-day defence as a board-level risk issue, up from 20% in 2021 [4]. The shift is driven by high-profile breaches (SolarWinds, Log4j, MoveIT) where zero-day exploitation caused cascading supply chain damage.

For SMBs, this creates opportunity: smaller organisations can move faster than enterprises. Implementing rapid patching, network segmentation, and monitoring is easier with 50 systems than 50,000. Use this agility as competitive advantage.

Action Items: What to Do This Month

Based on Google's 2025 zero-day report and current threat intelligence, here's your immediate checklist:

  1. Inventory edge devices — List every firewall, VPN appliance, router, and wireless controller. Confirm vendor, model, firmware version, and patch date
  2. Disable exposed management interfaces — Ensure device management interfaces are not accessible from the internet. Use VPN-required jump-hosts for administrative access
  3. Subscribe to CISA KEV updates — Join the CISA Known Exploited Vulnerabilities mailing list. Treat KEV entries as emergency patches
  4. Review Cisco and Fortinet advisories — If you run these vendors, check their security advisories for zero-day disclosures. Patch immediately
  5. Deploy network monitoring — If you can't afford a full SIEM, start with basic traffic analysis: netflow/sflow collection, DNS logging, and alerting on large data transfers

FAQ

A zero-day vulnerability is a software security flaw unknown to the vendor and for which no patch exists. The term "zero-day" refers to the fact that vendors have had zero days to develop and release a fix. Attackers discover or purchase zero-day vulnerabilities and exploit them before defenders can respond. Google tracked 90 zero-days exploited in the wild in 2025 [1]. Zero-days are particularly dangerous because traditional defences (antivirus signatures, intrusion detection rules) often fail to detect them.

Browsers have undergone massive security hardening over the past decade: sandboxing, exploit mitigations (ASLR, DEP), rapid patching cycles, and bug bounty programs. Enterprise edge devices (firewalls, VPN appliances, routers) have limited visibility, infrequent patching, and long deployment cycles. They also sit at the network perimeter, making them ideal beachheads for lateral movement. Google found that edge devices accounted for 21 zero-days in 2025, roughly half of all enterprise-targeted exploits [1]. Defenders often can't detect compromises on these devices because they don't run EDR and have minimal logging.

Since zero-days are unpatchable by definition, protection requires defence-in-depth that reduces exploitability and limits damage:

  1. Attack surface reduction — Disable unused services, restrict management interface access, and segment networks so compromised devices can't reach critical systems
  2. Compromise detection — Monitor network traffic for anomalies (large exfiltration, unusual connections), deploy EDR on management jump-hosts, and aggregate logs to detect behavioural deviations
  3. Rapid patching — When patches are released, apply them immediately for exploited vulnerabilities (CISA KEV catalog)
  4. Vendor risk management — Choose vendors with strong security track records and transparent patch practices

The goal is not to prevent zero-day exploitation (impossible) but to make it difficult, detect it quickly, and limit the blast radius.

Google's Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in the wild in 2025, up from 78 in 2024 [1]. This represents a "stabilised range" of annual zero-day activity according to Google. The breakdown:

  • Enterprise software and appliances: 43 zero-days (48%) — highest proportion ever recorded
  • Operating systems (desktop and mobile): 44 zero-days (44%)
  • Browsers: Less than 9 zero-days (<10%) — continuing decline

The shift from browsers to enterprise systems reflects the harder target presented by modern browser security versus the relative neglect of edge devices and networking infrastructure.

No. Google's report identifies Cisco and Fortinet as frequently targeted vendors, but this reflects their market dominance, not uniquely poor security [1]. Cisco and Fortinet have enormous install bases in SMB and enterprise environments. More deployments means more attackers focusing on them, and more zero-days discovered.

The practical takeaway: if you use Cisco or Fortinet (or Ivanti, or VMware), deploy additional controls:

  • Subscribe to vendor security advisories
  • Treat vendor-disclosed zero-days as emergency patches
  • Disable exposed management interfaces
  • Monitor for anomalous traffic and behaviour

Vendor abandonment is rarely the answer. Vendor risk management — understanding the threats and compensating with layered security — is the mature approach.

References

[1] Google Threat Intelligence Group, "Zero-Day Vulnerability Analysis 2025," Google, 2026. [Online]. Available: https://securitybrief.com.au/story/google-warns-of-surge-in-enterprise-zero-day-attacks

[2] Cisco Security Advisories, "Cisco Catalyst SD-WAN Manager Vulnerabilities (CVE-2026-20128, CVE-2026-20122) Exploited in the Wild," Cisco, 2026. [Online]. Available: https://www.cisco.com/c/en/us/products/cpsa-vuln-cve-2026-20128-20122.html

[3] CISA Known Exploited Vulnerabilities Catalog, "Known Exploited Vulnerabilities Catalog," Cybersecurity & Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[4] Gartner, "Zero-Day Vulnerability Management: A Board-Level Risk," Gartner, 2025. [Online]. Available: https://www.gartner.com/en/documents/4031291

Zero-day protection isn't about patching faster — it's about architecting systems that stay secure even when vulnerabilities exist. lilMONSTER helps businesses build resilience against the threats that can't be patched. We assess your edge devices, design defence-in-depth controls, and create response plans that work when zero-days hit. Book a free consultation at consult.lil.business to secure your perimeter against 2026's threats.

TL;DR

  • Google found that hackers used 90 secret software holes (called "zero-days") in 2025 to break into computers
  • Nearly half of these attacks targeted business equipment like firewalls and routers, not web browsers
  • The good news: you don't need to patch everything, just focus on the holes hackers are actually using
  • Smart businesses focus on the 1% of problems that matter instead of trying to fix everything

What's a "Zero-Day"? (Simple Explanation)

Imagine you buy a house with a secret door that you didn't know existed. Burglars discover this secret door and start using it to break into houses. The door manufacturer doesn't know about the problem yet, so there's no fix available.

That's a zero-day vulnerability — a secret security hole that:

  • The software maker doesn't know about
  • Has no available fix (patch)
  • Hackers are actively using to break in

The name comes from the idea that the software maker has had zero days to create and release a fix.

Google's security team tracked 90 of these secret holes being used by hackers in 2025 [1]. That's up from 78 in 2024, meaning the problem is growing.

The Big Shift: Hackers Changed Targets

Here's what's really important for business owners: hackers have shifted targets.

Old pattern (before 2025): Hackers mostly focused on web browsers (Chrome, Safari, Firefox) as the way into computers.

New pattern (2025): Hackers now focus on business equipment:

  • Firewalls (the security guards for your internet connection)
  • Routers (the traffic directors for your network)
  • VPN systems (how employees connect remotely)

Google found that 48% of all zero-day attacks in 2025 targeted business systems — the highest level ever recorded [1]. Meanwhile, attacks on browsers dropped to less than 10%.

What this means for you: The equipment you bought to protect your business (firewalls, security appliances) is now the primary target. The assumption that "browsers are the weak point" is outdated.

Related: Cisco Just Patched 48 Firewall Flaws — Including 2 Perfect 10s

Why Business Equipment Is Targeted

Think about it from a hacker's perspective:

Web browsers:

  • Get updated frequently (Chrome updates every 2-4 weeks)
  • Have strong security built in
  • Run on each person's computer, where security software can watch them
  • If hacked, only affect one computer

Business firewalls and routers:

  • Often run for years without updates
  • Have limited security monitoring (often can't run antivirus software)
  • Sit at the edge of your network — if hacked, give access to everything
  • Affect the entire business if compromised

Google points out that limited visibility on these devices is a recurring problem [1] — meaning security teams often can't see what's happening on them until it's too late.

The 1% Rule: Don't Try to Fix Everything

Here's something that might surprise you: across all software companies, there were over 20,000 security issues discovered in 2025 [2].

But Google tracked only 90 that hackers actually used.

This is the 1% Rule: focus on the 1% of problems that are being exploited, ignore the 99% that are theoretical.

Smart businesses don't try to patch everything. They:

  1. Subscribe to alerts from the US cybersecurity agency (CISA) about which vulnerabilities hackers are actually using
  2. Prioritise those for immediate patching
  3. Handle the rest during regular maintenance, not as emergencies

Related: Stop Patching Everything: The 1% Rule That Keeps SMBs Secure Without Burning Out

The Vendor Reality: Cisco, Fortinet, and Others

Google's report specifically mentions that Cisco and Fortinet — two very common business equipment vendors — were frequent targets [1].

This doesn't mean their products are bad. It means:

  • They're widely used (lots of businesses have them)
  • Hackers focus on popular targets (more potential victims)
  • When flaws are found, hackers exploit them quickly

If your business uses Cisco or Fortinet equipment (and many do), the solution isn't to panic and replace everything. The solution is:

  • Keep them updated — Install security patches promptly
  • Monitor them — Watch for unusual activity
  • Protect them — Put them behind additional security layers

Think of it like car safety: just because some car models have had recalls doesn't mean you stop driving. You just stay informed and get the fixes when they're available.

What AI Means for Zero-Days (Future Warning)

Google warns that artificial intelligence will make this problem worse by:

  1. Finding holes faster — AI can test software automatically and find vulnerabilities quicker than human researchers
  2. Building attacks faster — AI can create code to exploit vulnerabilities as soon as they're discovered
  3. Automating everything — What used to take skilled hackers months can now be done in days by AI tools

But AI also helps defenders:

  1. Finding holes first — AI can discover vulnerabilities before hackers do, giving software makers time to fix them
  2. Detecting attacks — AI can spot attack patterns even when the specific vulnerability is unknown
  3. Responding faster — AI can automatically isolate systems and limit damage when attacks occur

The message for businesses: AI-powered security is becoming essential, not optional. The cost of AI security tools is falling, and they're increasingly the only way to keep up with AI-powered attackers.

Related: AI Isn't Building New Attack Playbooks — It's Running Old Ones 44% Faster: What the 2026 IBM X-Force Report Means for Your Business

The Practical Protection Plan

You can't fix zero-days directly (by definition, they're secret and unpatched). But you CAN protect your business:

1. Reduce the Attack Surface (Close Unnecessary Doors)

If a vulnerability exists but can't be reached, it can't be exploited.

What to do:

  • Turn off features you don't use on your firewall and router
  • Disable remote management from the internet (only allow management from inside your network)
  • Separate guest WiFi from business systems (compromised guest devices shouldn't reach business data)

Real impact: The US cybersecurity agency CISA found that over 60% of exploited vulnerabilities in business equipment are reached via exposed management interfaces [2]. Simply closing these interfaces prevents the majority of attacks.

2. Assume Breach, Focus on Detection

Since some zero-days will inevitably be used, focus on catching the attack early.

What to do:

  • Monitor network traffic for unusual patterns (large data transfers at odd hours, connections to unknown servers)
  • Install EDR (Endpoint Detection and Response) on computers that manage your business equipment
  • Keep logs and review them regularly for suspicious activity

Why this works: You can't stop every zero-day, but you can detect when something's wrong and respond before major damage occurs.

3. Patch Smart, Not Hard

When patches become available, focus on the ones that matter:

Priority system:

  1. Urgent (patch within 48 hours) — Vulnerabilities that CISA confirms are being actively exploited by hackers
  2. Important (patch within 30 days) — Critical vulnerabilities from equipment vendors
  3. Routine (patch when convenient) — Everything else, during scheduled maintenance

This approach ensures limited time and resources go to real threats, not theoretical ones.

4. Choose Vendors Wisely

When buying business equipment:

Ask vendors:

  • "How quickly do you patch security issues?"
  • "How do you notify customers about vulnerabilities?"
  • "What security features are built in?"

Research vendors:

  • Check their security track record
  • Look for transparent security practices
  • Avoid vendors with histories of slow patching or hiding problems

The Business Case: Why This Matters for Your Bottom Line

Zero-day protection isn't just security — it's business resilience. Consider:

  • Customer trust — Businesses that demonstrate proactive security win more customers
  • Insurance costs — Cybersecurity insurance premiums are lower for well-protected businesses
  • Regulatory compliance — Laws like GDPR require "appropriate" security measures, and zero-day defense is increasingly considered mandatory
  • Supply chain requirements — Larger customers are starting to require vendors to meet security standards

According to industry research, by 2026, 75% of organisations will treat zero-day protection as a board-level issue [3] — meaning it's discussed by company leadership, not just left to IT.

For small businesses, this is actually an advantage: you can move faster than big companies. Implementing smart security practices is easier with 50 systems than 50,000. Use that agility.

The Reality Check: This Is Happening Now

The 90 zero-days Google tracked in 2025 aren't theoretical. They were used against real businesses: hospitals, hotels, manufacturers, professional services.

The Sileno ransomware attack we discussed earlier (22.9 TB encrypted in 14 hours) likely involved exploitation of one or more vulnerabilities in their systems [4].

This isn't science fiction. It's happening today, to businesses like yours.

What You Can Do This Week

Based on Google's report and current threat landscape, here's your immediate checklist:

  1. Inventory your business equipment — Make a list of every firewall, router, VPN device, and wireless access point. Include model, firmware version, and last patch date.
  2. Check for exposed management — Ensure device management interfaces aren't accessible from the internet. If they are, work with your IT person to close that access.
  3. Subscribe to alerts — Sign up for CISA's Known Exploited Vulnerabilities mailing list. These are the vulnerabilities hackers are actually using.
  4. Review vendor advisories — If you use Cisco, Fortinet, or other major vendors, check their security advisory pages for recent announcements.
  5. Plan your patching — Create a simple system: urgent patches within 48 hours, important patches within 30 days, routine updates during scheduled maintenance.

FAQ

All zero-days are vulnerabilities, but not all vulnerabilities are zero-days.

  • Vulnerability — A security weakness in software. The software maker may know about it and have a fix available.
  • Zero-day — A vulnerability that is secret (unknown to the software maker) and has no fix yet.

Think of it like health:

  • Vulnerability — A known risk (like smoking). Your doctor can give you advice to address it.
  • Zero-day — A new, unknown disease. No treatments exist yet because doctors haven't seen it before.

Since you can't patch what you don't know about, protection focuses on making attacks harder and limiting damage:

  1. Reduce attack surface — Turn off unnecessary features, close exposed management interfaces, and segment networks so compromised devices can't reach everything
  2. Detect compromises early — Monitor network traffic, watch for unusual activity, and have systems that alert you when something's wrong
  3. Limit blast radius — Use network segmentation so even if one device is compromised, the damage doesn't spread

It's like securing a building: you can't guarantee no burglars will ever try to break in, but you can make it harder for them to succeed and limit how much they can steal if they do.

Google's Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in 2025 [1]. This is up from 78 in 2024, representing a "stabilised range" of activity according to Google.

The breakdown:

  • 48% targeted enterprise systems (firewalls, routers, business software) — highest ever
  • 44% targeted operating systems (Windows, macOS, Android, iOS)
  • Less than 10% targeted browsers — continuing decline

The shift from browsers to enterprise systems reflects the reality that browsers have gotten much harder to exploit, while business equipment often runs neglected and unmonitored.

No. Google identifies them as frequently targeted because they're widely used, not because they're uniquely bad [1]. Cisco and Fortinet have enormous market share. More deployments means:

  • More hackers focusing on them (more potential victims)
  • More zero-days discovered simply because there are more targets

The practical approach:

  • Don't abandon proven vendors — Switching to obscure products doesn't guarantee safety (they may have undiscovered vulnerabilities and less testing)
  • Deploy additional controls — If you use Cisco or Fortinet, layer on extra security: monitoring, segmentation, and rapid patching
  • Stay informed — Subscribe to vendor security advisories and respond quickly when they announce issues

It's like car safety: some car models have had recalls, but that doesn't mean you stop driving. You just stay informed and get the fixes.

CISA is the Cybersecurity & Infrastructure Security Agency — the US government's cybersecurity agency. Their Known Exploited Vulnerabilities Catalog is a list of security holes that hackers are actively using in the wild [2].

Why it matters:

  • CISA focuses on real threats, not theoretical ones
  • Their catalog tells you exactly what hackers are exploiting right now
  • For many US government agencies and contractors, CISA-listed vulnerabilities must be patched by specific deadlines

For small businesses, CISA's catalog is a free prioritization tool: instead of trying to figure out which of 20,000 CVEs to worry about, just focus on the ~100-200 on CISA's list at any given time.

References

[1] Google Threat Intelligence Group, "Zero-Day Vulnerability Analysis 2025," Google, 2026. [Online]. Available: https://securitybrief.com.au/story/google-warns-of-surge-in-enterprise-zero-day-attacks

[2] CISA Known Exploited Vulnerabilities Catalog, "Known Exploited Vulnerabilities Catalog," Cybersecurity & Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[3] Gartner, "Zero-Day Vulnerability Management: A Board-Level Risk," Gartner, 2025. [Online]. Available: https://www.gartner.com/zero-day-board-risk

[4] Cybersecurity News Everyday, "Ransom! Sileno Companies Inc (MAR-2026)," Hendry Adrian, 2026. [Online]. Available: https://www.hendryadrian.com/ransom-sileno-companies-inc-mar-2026/

Zero-day protection sounds technical, but it's really about smart prioritization and layered defense. lilMONSTER helps small businesses build practical protection against the threats that actually matter — without overwhelming you with technical complexity. We assess your systems, focus on the 1% of vulnerabilities that matter, and build defense-in-depth that keeps you secure. Book a free consultation at consult.lil.business — let's make sure your business is protected against 2026's threats.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation