Ivanti, Cisco, and PAN — Hackers Bypass the Protectors
In 2024, cybercriminals actively exploited 75 zero-day vulnerabilities — a decline from 98 cases in 2023, yet still significantly higher than the 63 incidents in 2022. According to an analysis by Google’s Threat Intelligence Group (GTIG), despite the overall drop, attackers are increasingly shifting their attention from traditional user-targeted systems to complex corporate solutions — especially those involving security and network infrastructure.
The most notable change lies in the shift from consumer to enterprise technologies. While attackers previously focused on browsers, mobile devices, and operating systems, nearly half (44%) of all zero-day vulnerabilities in 2024 were tied to business-targeted solutions. These include products from companies like Ivanti, Cisco, and Palo Alto Networks, with most attacks targeting VPNs, threat detection systems, and other core components of enterprise security.
Year-over-Year Distribution of Zero-Day Vulnerabilities (GTIG)
Traditional targets like browsers and mobile OSes were exploited less frequently. Browser-related attacks dropped from 17 to 11, while mobile platform exploits decreased from 17 to 9. At the same time, desktop operating systems saw an increase in targeting, now accounting for 30% of cases — with Windows maintaining its spot as the most attacked platform (22 vulnerabilities).
Zero-Day Vulnerabilities by Product: 2023 vs. 2024 (GTIG)
One factor influencing this shift is the evolving activity of commercial surveillance vendors (CSVs). Although their share of attacks has decreased compared to the previous year, they still account for a substantial portion of zero-day use — including those requiring physical access to devices. GTIG and Amnesty International documented the exploitation of CVE-2024-53104 to compromise Android devices using modified USB hardware.
Among nation-states, China and North Korea were the most active in these operations. Chinese groups like UNC5221 heavily targeted corporate software, notably a chain of vulnerabilities in Ivanti’s products. North Korean actors reached a new level of activity, accounting for five vulnerabilities, including attacks on Chrome and Windows. Noteworthy is APT37’s campaign, which distributed malicious code through advertising banners on South Korean websites — with no user interaction required.
Also observed were hybrid-motivation groups like CIGAR (also known as UNC4895 or RomCom), which combined financial crime with cyber espionage. GTIG attributes the exploitation of Firefox and Windows vulnerabilities to this group, using them for privilege escalation and subsequent system compromise. Such attacks allowed a transition from browser-level access to SYSTEM-level control — a critical threshold for attackers.
The primary targets of these campaigns remained vulnerabilities enabling remote code execution (RCE) and privilege escalation. Commonly exploited flaws included use-after-free bugs, command injection, and cross-site scripting (XSS). Most of these originated from well-known software development mistakes that could have been avoided by adhering to strict coding standards.
The report's authors emphasize that while large vendors remain prime targets, they have developed more robust defenses. In contrast, newer players in the corporate software market may be less prepared for sophisticated attacks. GTIG recommends increased attention to architectural security, hardening RPC interfaces, and adopting zero-trust principles — including network segmentation and the least privilege model.
Despite growing investments in defensive technologies, zero-day exploits remain far too valuable for cyberespionage and cybercrime to be abandoned. According to GTIG forecasts, interest in them will only increase in the coming years — especially concerning products that offer broad, low-visibility access to infrastructure.
Would you like a version of this translation optimized for publication or professional report format?
