Google’s Threat Intelligence Group (GTIG) released its annual report analyzing the exploitation of zero-day vulnerabilities in 2024. According to the findings, GTIG tracked 75 zero-day vulnerabilities exploited in the wild, marking a decline from 98 in 2023 but still an increase compared to 2022 (63 vulnerabilities). This report categorizes the vulnerabilities into two main areas: end-user platforms (e.g., browsers, mobile devices, desktop operating systems) and enterprise technologies (e.g., security software, network appliances).
Decline in Exploitation of End-User Platforms
In 2024, 56% (42) of tracked zero-day vulnerabilities targeted end-user platforms and products, which include software and devices used by individuals, although enterprises also utilize these technologies. This category included the exploitation of browsers, mobile devices, and desktop operating systems.
Zero-day exploitation in browsers and mobile devices saw a notable decline in 2024. Exploitation of browsers decreased by about a third, from 17 in 2023 to 11 in 2024. Similarly, mobile device exploitation dropped by half, from 17 in 2023 to 9 in 2024.
Google Chrome, the most popular browser worldwide, was the primary target in 2024, accounting for a significant portion of browser-based zero-day attacks. On mobile devices, exploit chains made up of multiple zero-day vulnerabilities continued to be used predominantly to target Android devices. In 2024, three out of seven exploited Android vulnerabilities were found in third-party components. This trend mirrors what was observed in 2023, underscoring how these components are seen as lucrative targets because they allow attackers to compromise various devices within the Android ecosystem.
Another noteworthy trend was the increase in exploitation of desktop operating systems. Zero-day vulnerabilities affecting desktop OSes rose from 17 in 2023 to 22 in 2024. These OS vulnerabilities accounted for nearly 30% of total zero-day exploits, up from 17% in 2023. Microsoft Windows saw a marked rise in exploitation, with 22 zero-day vulnerabilities tracked in 2024, up from 16 in 2023 and 13 in 2022. As long as Windows remains one of the most popular operating systems globally, it will continue to be a prominent target for zero-day exploitation.
Rising Focus on Exploiting Enterprise Technologies
In 2024, the exploitation of enterprise technologies reached a significant point. GTIG identified 33 zero-day vulnerabilities exploited in enterprise products such as security software and network appliances. Although this is a slight decrease from the 36 vulnerabilities tracked in 2023, the proportion of enterprise-focused zero-days increased from 37% in 2023 to 44% in 2024.
A notable shift in 2024 was the increased targeting of network security products. Out of the 33 enterprise-focused vulnerabilities, 20 targeted security and networking products, a slight increase from 18 in 2023. This trend is critical, as these products are essential for managing enterprise networks and systems. Once compromised, these vulnerabilities allow attackers to gain broad access across enterprise environments, making them highly valuable targets. Products such as Ivanti Cloud Services Appliance, Palo Alto Networks PAN-OS, and Cisco Adaptive Security Appliance were among the most targeted.
The rise in attacks on security products is important because these systems often have high privileges and limited detection by endpoint detection and response (EDR) systems. Many of the vulnerabilities exploited in this category did not require exploit chains, meaning attackers could use a single vulnerability to achieve remote code execution or privilege escalation, making these exploits especially powerful.
High-Profile Vendors Targeted
The vendors targeted by zero-day vulnerabilities in 2024 primarily consisted of big tech companies and network security vendors. Microsoft and Google were the most targeted, with 26 and 11 vulnerabilities respectively. Apple, traditionally a frequent target, fell to fourth place, with only five vulnerabilities identified in 2024. Ivanti, a security vendor, emerged as the third most targeted, with seven zero-day vulnerabilities. This marked a shift in focus, as a security vendor was targeted more than a widely-used consumer tech vendor like Apple.
The increased targeting of Ivanti and other security vendors reflects a broader trend where threat actors focus on technologies that provide extensive access to enterprise networks. These products often present fewer detection opportunities, making them an appealing choice for attackers looking to infiltrate networks. As this trend continues, enterprises must take additional measures to protect these critical systems.
Common Types of Exploited Vulnerabilities
The most exploited vulnerability types in 2024 were use-after-free vulnerabilities, command injection vulnerabilities, and cross-site scripting (XSS) vulnerabilities. These three types of vulnerabilities were responsible for a significant portion of the total zero-day exploitation tracked by GTIG.
Use-after-free vulnerabilities, which allow attackers to use memory after it has been freed, remained prevalent, with eight such vulnerabilities identified in 2024. Similarly, command injection and XSS vulnerabilities also played a significant role, each accounting for eight and six instances, respectively. These vulnerabilities were mostly observed targeting network and security appliances, where attackers could gain control of systems and networks.
The persistence of these vulnerabilities highlights the need for safe coding practices to mitigate these risks. Software development teams must prioritize code reviews, update legacy code, and adopt modern libraries to avoid such flaws. Though these practices can slow production timelines, they ultimately reduce the frequency of zero-day vulnerabilities and improve the long-term security posture of systems.
Attribution and Threat Actor Trends
GTIG successfully attributed 34 zero-day vulnerabilities to specific threat actors, nearly half of all tracked zero-day exploits in 2024. The majority of these exploits (53%) were linked to espionage groups, with PRC (China)-backed actors being the most frequent perpetrators. These groups were responsible for 30% of the espionage-related zero-day exploits, continuing a pattern of targeting security and network technologies.
In addition to state-backed actors, non-state groups and financially motivated threat actors also contributed to the increase in zero-day exploitation. North Korean state-backed groups tied with PRC-backed groups for the highest number of attributed zero-day exploits in 2024, with five vulnerabilities exploited. These groups mixed espionage with financially motivated attacks, targeting vulnerabilities in Chrome and Windows products.
The rise of non-state actors in zero-day exploitation is another important trend. The FIN11 group exploited a zero-day vulnerability in Cleo managed file transfer products to conduct data theft extortion, marking a continued interest in exploiting vulnerabilities for financial gain.
Forensic Vendors and Zero-Day Exploitation
The role of CSV (commercial surveillance vendors) in zero-day exploitation also became more pronounced in 2024. Forensic tools, traditionally used for digital forensics and law enforcement, were found to be linked to the exploitation of multiple vulnerabilities. These tools, such as those from Cellebrite, were used in exploit chains targeting Android devices, including a high-profile case in Serbia where an activist’s mobile device was compromised by local security services.
This growing role of forensic vendors in zero-day exploitation signals a shift in the landscape, as these tools once viewed as aiding law enforcement are now contributing to broader exploitation campaigns.
The exploitation of zero-day vulnerabilities in 2024 remains a major concern for both end-user and enterprise systems. While the number of vulnerabilities targeting browsers and mobile devices has decreased, there has been a clear increase in the exploitation of enterprise security and network products. Government-backed espionage groups, particularly from China and North Korea, continue to be the most prolific users of zero-day vulnerabilities, but non-state groups and forensic vendors are increasingly contributing to the threat landscape.
As threat actors continue to target high-value systems, businesses must enhance their security measures, focusing on endpoint protection, network security, and early vulnerability detection. Staying ahead of these evolving threats requires a multi-layered approach to security and constant vigilance in patch management and system monitoring.
