top of page

Google report highlights 2023 zero-day exploitation trends

In their annual cybersecurity review, Google Threat Analysis Group and Mandiant have collaborated to discuss zero-day exploitation through 2023 and shed light on what can be expected in 2024.

Google have released their yearly overview of the cyber security threats and trends from 2023.

The Threat Analysis Group (TAG), in collaboration with Mandiant (A Google subsidiary) have highlighted the key zero-day trends they monitored and discovered throughout the year.

For the first time, TAG and Mandiant combined their analysis and data revealing 97 zero-day vulnerabilities exploited during 2023, a 50% increase from the previous year.

These vulnerabilities were separated into two categories: end user platforms/browsers and enterprise-focused technologies.

End user platforms included vendors such as Apple, Google and Microsoft, which are ubiquitous platforms for both personal and business use. As such, they prove to be a highly attractive target for threat actors due to this widespread use and potential victim pool, as well as the potential for maximum damage and disruption to targets and victims.

Enterprise products such as Cisco and Ivanti saw a huge increase in targeting, with adversaries taking advantage of critical vulnerabilities before patches and updates can be fully rolled out and applied.

There was also an observed shift towards third-party components and libraries from threat actors. Rather than focusing on one platform, manipulating a third-party component or an open-source library allows attacks to be scaled much larger and thus affecting multiple products and vendors with just one campaign.

Android was a popular target for threat actors, with five disclosed Android GPU zero-days observed. Graphics Processing Units (GPU) provide prime attack surfaces due to all Android devices utilising them. Once manipulated, threat actors can interfere with multiple products across manufacturers, models, countries etc by exploiting one of the two available GPU drivers.

China was reported to have dominated 2023 with exploitation of zero-days affecting governments across the world, with two PRC (Peoples Republic of China) clusters being attributed to at least 12 unique zero-day vulnerabilities: UNC3886 and UNC4841.

Activity attributed to Russia nation state activity was the exploitation of a zero-day by a Belarussian-linked espionage group working towards the strategic interests of Russia and Belarus, tracked as Winter Vivern.

Finally, Google noted that a lower proportion of zero-day vulnerabilities were exploited by financially motivated threat actors, possibly highlighting the effort vs reward balance that financial threat groups work on.

Vulnerability exploitation and follow-up activities are expensive to carry out, and so the reward must outweigh the cost. Prioritising high value vulnerabilities against high value targets will result in the most gain.


These points from Google’s report showcase some trends and key trends from 2023 that will remain relevant through 2024.

It can be assumed that zero-day vulnerabilities will continue to rise, along with nation-state activities becoming more sophisticated and elaborate.

As security researchers continue to track, report and mitigate against all types of threat actors, these same actors are also monitoring their blogs and reports, and developing their own tools, techniques and procedures to continue to outsmart defenders and develop new campaigns. It is the responsibility of everyone to ensure good security hygiene and cyber awareness to prevent the success of the adversaries.

With nation states, primarily China opting to focus on the development and use of zero-day exploits, organisations that can consider themselves as a target should consider focusing on a defence in depth strategy and remediation of zero-day vulnerabilities once they are discovered.

This remediation should also be partnered with prompt investigations to discover if there has been any compromise prior to the remediation being applied.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page