Google TAG: 97 Zero-Days Exploited in Wild During 2023

Executive Summary

Google's Threat Analysis Group (TAG) today released its annual report on zero-day exploits observed in the wild during 2023, documenting 97 distinct zero-day vulnerabilities that were actively exploited — a 56% increase over the 62 recorded in 2022. The report, titled "We're All in this Together: A Year in Review of Zero-Days Exploited In-the-Wild in 2023," attributes the surge primarily to commercial surveillance vendors (CSVs) such as NSO Group and Intellexa, which were responsible for approximately 80% of targeted zero-day deployments. TAG notes that the data reflects only confirmed, publicly tracked exploits and likely undercounts the true scale of activity.

Technical Analysis

According to TAG's analysis, the 97 zero-days spanned multiple platforms, with Google Chrome, Apple iOS, and Microsoft Windows being the most frequently targeted products. The report highlights that CSVs increasingly chain multiple zero-days together to achieve code execution, privilege escalation, and sandbox escape in a single attack flow. A notable trend is the shift toward zero-click exploits targeting messaging platforms and mobile operating systems, reducing the victim's ability to detect an intrusion. TAG also observed that the average time between a patch release and reverse-engineering of the fix by threat actors has compressed to under 24 hours for high-profile vulnerabilities, accelerating weaponization windows.

The report emphasizes that 80% of the zero-days exploited by CSVs were used against specific individuals — journalists, human rights defenders, and political dissidents — rather than broad indiscriminate campaigns. TAG attributes this targeting precision to the business model of CSVs, which sell exploit capabilities to government clients who then deploy them against designated targets. The remaining 20% of zero-days were leveraged by state-sponsored advanced persistent threat (APT) groups, including those linked to North Korea, Russia, and China, for espionage and data theft operations.

TAG notes that while the total number of zero-days increased, the proportion of n-day exploits (vulnerabilities patched but still exploited) also rose, suggesting that many organizations fail to apply patches quickly enough. The report cites examples where exploits for CVEs with public patches were used in attacks within 48 hours of disclosure.

Mitigations & Recommendations

Google TAG recommends that organizations prioritize patch management automation and reduce mean-time-to-patch (MTTP) for critical vulnerabilities to under 24 hours, given the rapid weaponization timelines observed. For defenders, enabling automatic updates on Chrome, iOS, and Windows devices is the single most effective control against zero-day exploitation. TAG also advises implementing application sandboxing and device-level exploit mitigations (e.g., Chrome's Site Isolation, iOS's Pointer Authentication) to raise the cost of chaining exploits. For high-risk users — journalists, activists, executives — TAG recommends using Advanced Protection Programs (Google's APT) and dedicated threat intelligence feeds to receive early warnings about active exploitation.