Escalating Threats: The Surge in Enterprise Vulnerability Exploitation

The zero-day vulnerability landscape exhibits a notable shift in attacker strategy, characterized by a pivot from targeting user-facing endpoints to compromising the hardened core of enterprise security and networking infrastructure. Exploits increasingly focus on tools once considered bastions of defense, firewalls, VPNs, and secure access appliances, which now represent primary attack vectors due to their privileged access and minimal monitoring. This evolution reflects growing adversary sophistication and the increasing stealth and persistence of modern intrusions, tactics, and risks. As traditional detection and response models falter, enterprises must move toward proactive, architecture-aware defense strategies that address their environment’s visible and hidden layers.

‍

Key Takeaways

• Trends & Targets: Attackers are shifting their focus toward exploiting core enterprise infrastructure. 44% of zero-days targeted enterprise technologies, over 60% of which were aimed at security and networking tools. Vendors like Ivanti, whose secure access platforms were repeatedly breached, illustrate how adversaries turn trusted infrastructure into attack vectors, leveraging administrative access and limited visibility to bypass defenses.

• State of Enterprise Security: Despite fewer total zero-days, 2024 saw higher-impact, stealthier exploits, often tied to nation-state actors and CSVs, exploiting blind spots in tools lacking EDR visibility. Threat actors increasingly favor tools that allow for deep lateral movement within enterprise environments, moving away from browser and mobile targets in favor of high-value persistent access.  

• Vulnerability Response & Mitigation: Traditional patching models are becoming increasingly inadequate and obsolete, as many compromised systems require manual updates and lack runtime telemetry, prompting a need for continuous assessment, privilege segmentation, and reclassification of security tools as high-risk assets. Emerging innovators such as Axonius, Vicarius, Nucleus Security, and Balbix are redefining zero-day vulnerability management, offering integrated, context-driven solutions that accelerate detection, remediation, and resilience.

‍

Vulnerability Trends & Targets

The zero-day landscape in 2024 has revealed a tectonic reorientation in attacker priorities, underpinned by a pivot away from the traditional edge of user-facing platforms and toward the hardened core of enterprise security and networking infrastructure. According to Google’s Threat Intelligence Group (GTIG), 44% of all exploited zero-days in 2024 targeted enterprise technologies, up from 37% in 2023. Within that segment, over 60% specifically exploited security and networking products, marking the first time that tools explicitly built to defend environments have emerged as the most exploited class of enterprise software.

‍

‍

This shift illustrates a new era of vulnerability exploitation where trust, rather than users, is weaponized. Protection tools like firewalls, VPNs, and secure access appliances, once cornerstones of perimeter defense, have now become primary entry points. Illustrating this shift, Ivanti represents the third most exploited vendor behind Microsoft and Google. The company’s secure remote access infrastructure was repeatedly targeted by threat actors like UNC5221 using chained zero-days, underscoring how even infrastructure intended to enable security can be turned against the enterprise.

Nearly half of all tracked zero-days were attributed to specific threat actors, signaling a notable improvement in visibility compared to prior years. Most of these attributed exploits were linked to nation-state espionage operations and commercial surveillance vendors (CSVs). Importantly, these threat actors didn’t just exploit vulnerabilities; they were trendsetters, driving the tactical pivot toward enterprise infrastructure and secure access tooling. From this, attribution is becoming more than just a forensic exercise; it is a key means of proactive and effective security posturing.  

• Security Infrastructure as a Prime Target: The exploitation of tools like Ivanti Connect Secure, Cisco ASA, and Palo Alto’s PAN-OS demonstrates how attackers increasingly prioritize software with administrative access, trusted network positioning, and minimal monitoring visibility. In 2024, 18 distinct enterprise vendors were compromised, a stark shift in focus reflecting greater adversary sophistication in developing and acquiring exploits across various systems. More specifically, Ivanti appeared in seven separate exploited zero-days, more than Apple’s 5, signaling a prioritization shift away from consumer devices and toward the enterprise stack.

• Evolving Tactics: Breaching security tools bypass multiple layers of defense at once, and attackers are focusing on vulnerabilities that let them pivot laterally with impunity across trusted internal environments. Additionally, browser-targeted zero-days dropped from 17 to 11 year-over-year, and mobile zero-days were cut nearly in half (17 to 9), suggesting attackers are increasingly measuring success by strategic access rather than volume.

• Espionage Still Dominates: Attributed espionage actors were behind 53% of all zero-day exploits in 2024, with Chinese state-backed actors and CSV customers leading the charge. For the first time, North Korean groups matched PRC actors in zero-day volume, reflecting an expanded capability set combining espionage with financially motivated attacks.

‍

‍

State of Enterprise Security

Superficially, the raw number of exploited zero-day vulnerabilities dropped from 98 in 2023 to 75 in 2024. This decline doesn’t reflect a decrease in risk, but rather marks an increase in attacker efficiency, stealth, and strategic targeting. The threat landscape has matured, with fewer mass-scale opportunistic attacks and more tailored, surgical exploits targeting critical enterprise technologies.  

The most concerning trend isn’t the volume of exploits, but the sophistication of the exploitation ecosystem. CSVs, once niche players, now maintain world-class operational security, with an improved tradecraft spanning exploit obfuscation to evasion of forensic traces, resulting in successful intrusions that remain undetected for longer periods of time and carry more severe impacts. Compounding this, many of the exploited enterprise systems lack full EDR instrumentation, making compromise even less visible and more persistent.

While attackers have refined their exploitation of runtime infrastructure, they’re simultaneously exploiting the brittle foundations of the modern software supply chain. Enterprise applications are built on sprawling webs of third-party code, open-source components, and externally maintained packages, many of which remain untracked and unaudited. This supply chain fragility is compounded by secrets sprawl, misconfigurations in vault management, and uncontrolled API growth, creating a layered environment where attackers can exploit the visible runtime stack and the invisible codebase beneath it.

This stealth-driven landscape has raised the bar for defenders: The old assumption that detection and mitigation would catch most intrusions post-exploit no longer holds when the compromise originates inside the security perimeter. With vulnerabilities now leveraged more tactically, defenders must shift toward anticipatory controls, including architecture reviews, pre-deployment validation, and real-time integrity monitoring.

• Decline in CSV Detection, Not Activity: Commercial surveillance vendors have adopted advanced OPSEC practices once reserved for intelligence agencies, making their exploit usage harder to detect, attribute, and mitigate, likely a key reason why many 2024 campaigns remained active longer. Adding fuel to the fire, adversaries are increasingly masking their exploit delivery chains, using encrypted payloads, custom packers, and non-standard protocols to bypass traditional security controls and forensic investigations

• Persistent Blind Spots & Obfuscation: Security and networking appliances, which formed the bulk of enterprise zero-day targets, often lack endpoint detection and response (EDR) instrumentation, allowing intrusions to persist undetected even in well-defended environments. As a result, attackers are achieving long-term access by blending into network activity, often operating within compromised infrastructure designed to enforce security in the first place.

‍

Vulnerability Response & Mitigation

In today’s exploit ecosystem, response timelines are no longer measured in hours but in consequences. The old vulnerability management playbook, centered around identifying, prioritizing, and patching exposures, is increasingly inadequate in the face of fast-moving, stealthy threat actors targeting the very infrastructure built to secure organizations. Many of the security and networking appliances exploited in 2024, from VPNs to firewall platforms, lack endpoint visibility and runtime behavioral telemetry, significantly hindering detection and containment efforts post-compromise. Worse yet, many of these systems require maintenance windows or manual patching, which slows down response velocity and leaves exploitable gaps open for weeks.

Enterprises must redefine their security posture, response, and strategy in this environment. Rather than focusing solely on CVSS scores or patch cycles, there must be an intentional and proactive prioritization of integrated architectural awareness, privilege boundary enforcement, and pre-exploit hardening. Tools assumed to be hardened because they enforce policy or operate in the network core must now be treated as high-risk assets requiring the same scrutiny, segmentation, and monitoring as frontline endpoints. Furthermore, response protocols must shift from point-in-time triage to continuous compromise assessment, especially for devices that fall outside the EDR scope.

• Patch Delays on Security Appliances: Unlike endpoints, which can often be patched in bulk, network and security tools often require manual updates, extended maintenance windows, and full-service disruptions. Further, security appliances often lack native EDR hooks or runtime behavior monitoring, creating dangerous blind spots that delay response and amplify risk impact. In response, enterprises should prioritize automated configuration validation, deploy compensating controls during patch delays, and treat security infrastructure updates as critical-path operational dependencies rather than discretionary IT tasks.

• Single Points of Privilege: Many zero-day exploits in 2024 enabled privilege escalation or root access, which are particularly damaging when targeting tools already running with elevated permissions. Devices like VPN concentrators, firewalls, and secure gateways often operate with administrative access but without embedded telemetry, creating a perfect blind spot for persistent intrusion. As a result, dynamic network segmentation, zero-trust principles, and advanced privilege management have become essential to slow lateral movement and reduce blast radius.

‍

Highlighted Vulnerability Innovators & Solutions  

‍

‍

Axonius

Axonius delivers a unified cybersecurity asset management platform that consolidates data from over 1,200 sources to provide comprehensive visibility and control across IT, OT, cloud, and SaaS environments. In the face of increasingly stealthy and targeted cyber threats, Axonius addresses critical challenges such as persistent blind spots and delayed patching by offering real-time asset discovery and continuous vulnerability assessment. Alongside the company’s vulnerability management module, which aggregates and correlates vulnerability data, security teams can effectively prioritize and remediate risks based on asset criticality and threat context, thereby driving a more proactive, intelligent, and resilient security posture.  

Vicarius  

Vicarius’ flagship platform, vRx, integrates vulnerability discovery, prioritization, and remediation into a unified solution. The platform’s differentiation is driven by patchless protection, a proprietary technique that enables live, in-memory shielding of vulnerable applications without requiring source code changes or vendor patches, as well as its auto-remediation engine, which intelligently deploys compensating controls or initiates patch workflows based on threat context, user behavior, and asset criticality.

Nucleus Security

Nucleus Security offers a unified vulnerability and exposure management platform that consolidates asset, vulnerability, and threat intelligence data. The platform utilizes adaptive contexts, which provide persistent risk visibility across dynamic cloud environments, enriching vulnerability findings with real-world threat intelligence. With capabilities extending to asset deduplication, risk prioritization with business context, and automated remediation workflows, Nucleus Security enables enterprises to proactively manage exposures and reduce the window of vulnerability.  

Balbix

Balbix is an AI-powered cyber risk and exposure management platform that unifies asset visibility, vulnerability prioritization, and remediation automation to help enterprises reduce breach risk and improve security posture. By quantifying risks and vulnerabilities in financial terms, the company allows enterprises to prioritize remediation and response based on risk and business impact. Streamlining real-time asset discovery, continuous vulnerability assessment, and automated remediation workflows, Balbix facilitates proactively prioritized vulnerability and exposure management to reduce the window and impact of quickly evolving risks and threats.  

‍

Conclusion  

The evolution of zero-day exploitation underscores a critical inflection point in enterprise security strategy. As attackers increasingly weaponize trusted infrastructure and exploit visibility gaps in security tools, traditional reactive approaches have quickly become insufficient and inadequate. Enterprises must now adopt a fundamentally different mindset, treating core infrastructure as potential liabilities, prioritizing proactive architectural defenses, and implementing continuous, intelligence-driven vulnerability management. As infrastructure increasingly becomes a key security battleground, visibility and resilience must be built directly into the products and services that were once assumed to be the last line of defense.

Organizations must embrace a proactive, intelligence-driven approach to infrastructure defense to stay ahead of evolving threats and ensure robust security. At Vation Ventures, we specialize in helping enterprises implement resilient security architectures and continuously manage vulnerabilities. Our digital transformation consulting services are designed to fortify your systems, enhance visibility, and empower your teams with the insights needed to stay secure in a rapidly changing threat landscape. Let us help you build a future-proof security strategy. Contact us today to learn more.