Google’s 2024 Zero-Day Report Reveals Enterprise Security Blindspots
Google’s latest report, Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis, uncovers a troubling reality: hackers are shifting their focus to the infrastructure that handles your most sensitive business data. Published April 29, 2025, by Google’s Threat Intelligence Group (GTIG), the analysis tracked 75 zero-day vulnerabilities exploited in 2024. Nearly half targeted enterprise systems—a dramatic change from previous years when browsers and phones dominated the threat landscape
What Google’s Zero-Day Report Actually Found
Zero-day vulnerabilities are software flaws that attackers exploit before vendors can patch them. Google’s Threat Intelligence Group tracks these exploits annually, combining their own research with breach investigations and reliable third-party reporting. Their 2024 analysis reveals both progress and new challenges in cybersecurity.
The raw numbers tell part of the story: 75 zero-days in 2024, down from 98 in 2023 but up from 63 in 2022. More revealing is where these attacks occurred. Enterprise technologies faced 33 of these exploits—44% of the total—compared to 37% the previous year. Within enterprise systems, security and networking products bore the brunt, accounting for 20 vulnerabilities, or over 60% of all enterprise-targeted zero-days.
Perhaps most striking: 18 different enterprise vendors were targeted, representing nearly all vendors hit by zero-days in 2024. Traditional targets like browsers and mobile devices saw significant decreases—browser exploits dropped from 17 to 11, while mobile fell from 17 to 9.
Why File Transfer and Security Tools Became Prime Targets
The report identifies specific reasons why attackers pivoted to enterprise infrastructure. Security appliances, VPNs, and managed file transfer (MFT) platforms offer attackers unique advantages:
Single-Point Compromise: Unlike consumer devices that often require complex exploit chains, many enterprise systems can be fully compromised with just one vulnerability. The report notes these products often lack the layered defenses found in modern browsers and operating systems.
Privileged Access: These systems typically run with administrative privileges and connect to multiple network segments, enabling rapid lateral movement after initial compromise.
Limited Monitoring: A critical finding—many security and networking appliances operate outside the scope of endpoint detection and response (EDR) tools, creating visibility gaps that attackers exploit.
High-Value Data: File transfer systems, email servers, and collaboration platforms routinely process regulated data including financial records, health information, and intellectual property.
Critical Vulnerabilities That Threaten Compliance
Several 2024 exploits directly impact organizations subject to data privacy regulations like GDPR, HIPAA, and CMMC 2.0:
CVE-2024-55956 (Cleo MFT Platform): A suspected FIN11 cluster exploited this vulnerability for data theft extortion. The report emphasizes this marks the “third year of the last four (2021, 2023, and 2024)” that FIN11 or associated groups targeted file transfer products—showing persistent focus on these systems.
Cross-Site Scripting (XSS) Attacks: Six XSS vulnerabilities targeted various products including mail servers and enterprise software. These enable unauthorized script execution and potential data exfiltration, creating clear compliance risks.
WebKit Cookie Collection: The report details a sophisticated attack where malicious JavaScript on a Ukrainian government website collected browser cookies. The attackers specifically aimed to access login.microsoftonline.com credentials, potentially compromising Microsoft 365 services like Outlook and SharePoint.
Command Injection Vulnerabilities: Eight command injection flaws were found “almost entirely targeting networking and security software and appliances,” according to the report. These allow attackers to execute arbitrary commands with system privileges.
The Detection Gap: Where Traditional Security Falls Short
Google’s analysis highlights a fundamental problem: the systems handling your most sensitive data often have the least visibility. The report explicitly states that “endpoint detection and response (EDR) tools are not usually equipped to work on these products.”
This creates cascading security challenges:
- Security teams lack real-time visibility into file transfers and content exchanges
- Behavioral anomaly detection becomes impossible without proper logging
- Incident response is hampered by insufficient forensic data
- Compliance auditing lacks necessary documentation
The report notes these blindspots are particularly dangerous because affected systems “can single-handedly achieve remote code execution or privilege escalation” without the complex exploit chains typically required for end-user devices.
Notable Attacks from the Report
Understanding specific exploits helps illustrate the evolving threat landscape:
The Ukrainian Government Website Attack: GTIG researchers discovered malicious JavaScript injected into the Contact Form 7 plugin files on a Ukrainian diplomatic website. This wasn’t a vulnerability in the WordPress plugin itself, but rather a targeted compromise that collected visitor cookies. The code specifically targeted MacOS users on Intel hardware, demonstrating sophisticated targeting.
CIGAR Group’s Dual Exploits: The report details how the CIGAR group (also known as RomCom) used CVE-2024-9680 (a Firefox vulnerability) combined with CVE-2024-49039 (a Windows privilege escalation flaw). This group conducts both financial crime and suspected Russian government espionage, highlighting how zero-days serve multiple threat actor objectives.
North Korean Innovation: For the first time, North Korean actors matched China-backed groups with five attributed zero-days. The report notes these actors “mix traditional espionage operations with attempts to fund the regime,” using sophisticated techniques like malicious advertisements triggering zero-click execution.
Building Defenses Against Modern Zero-Day Threats
Based on the report’s findings, organizations need multilayered defenses specifically addressing enterprise infrastructure vulnerabilities:
Extend Security Monitoring: Integrate MFT, SFTP, and security appliances into your SIEM and security operations workflows. The report emphasizes these systems need the same scrutiny as traditional endpoints.
Implement Zero-Trust Architecture: Apply least-privilege principles to all file sharing and content movement. Assume compromise and verify every transaction, especially for systems with administrative privileges.
Prioritize Secure Development: The report identifies that command injection, XSS, and use-after-free bugs—all preventable through secure coding—dominated 2024 exploits. Regular code reviews and modern development practices are essential.
Evaluate Vendor Security: With 18 enterprise vendors targeted, assess how quickly your vendors respond to vulnerabilities. The report notes that “patches prove the potential for these security exposures to be prevented in the first place.”
Consider Unified Platforms: Solutions like Kiteworks Private Data Network that consolidate email, file transfer, and API security can reduce complexity and improve visibility compared to managing multiple point solutions.
What This Means for Your Security Strategy
Google’s report delivers a clear message: the infrastructure you use to exchange sensitive data has become a primary attack vector. With 44% of zero-days targeting enterprise systems and over 60% of those hitting security and networking products, traditional security models need updating.
Key takeaways for security leaders:
- Attribution Remains Challenging: GTIG could attribute only 34 of 75 vulnerabilities to specific actors, reminding us that many attacks go unattributed.
- Vendor Improvements Work: Browser and mobile exploits decreased significantly, showing that security investments in these areas are paying off.
- New Vendors Face Greater Risk: The report notes smaller enterprise vendors may lack the resources and experience of “big tech” companies in addressing zero-days.
- Persistence Pays for Attackers: Groups like FIN11 repeatedly target the same types of infrastructure, suggesting they’ve found reliable attack paths.
For organizations handling regulated data under PCI DSS, HIPAA, GDPR, or CMMC requirements, these findings demand immediate attention. The systems processing your most sensitive information—file transfers, email, web forms—can no longer be treated as passive infrastructure. They’re active battlegrounds requiring comprehensive security strategies.
Frequently Asked Questions
Google’s Threat Intelligence Group identified 75 zero-day vulnerabilities exploited in the wild during 2024, with 33 targeting enterprise technologies.
Security and networking products faced the highest risk, with 20 zero-days—over 60% of all enterprise-targeted vulnerabilities. File transfer systems, VPNs, and security appliances were particularly targeted.
Enterprise systems often require only single vulnerabilities for full compromise, operate with high privileges, process valuable data, and frequently lack EDR monitoring—making them efficient targets.
Extend security monitoring to include all data exchange systems, implement zero-trust principles, ensure secure coding practices, evaluate vendor responsiveness to vulnerabilities, and consider unified security platforms for better visibility.
The report specifically notes that EDR tools typically cannot monitor security and networking appliances, creating dangerous blindspots that require additional security measures.
Additional Resources
- Blog Post Zero Trust Architecture: Never Trust, Always Verify
- Video How Kiteworks Helps Advance the NSA’s Zero Trust at the Data Layer Model
- Blog Post What It Means to Extend Zero Trust to the Content Layer
- Blog Post Building Trust in Generative AI with a Zero Trust Approach
- Video Kiteworks + Forcepoint: Demonstrating Compliance and Zero Trust at the Content Layer