Zero-Days Targeting Public-Facing Apps Surge

For the first time, commercial surveillance vendors (CSVs) were the most active users of zero-day exploits in 2025, surpassing state-sponsored espionage groups. China-linked cyber-espionage groups, such as UNC5221 and UNC3886, remained the most prolific state actors, consistently targeting security appliances from vendors like Cisco, Fortinet, Ivanti, and VMware to maintain persistent access. This trend marks a structural shift in the threat landscape, moving away from browser exploits, which fell to historic lows, and toward direct attacks on enterprise operating systems and edge infrastructure. These edge devices are prime targets as they often lack Endpoint Detection and Response (EDR) visibility, making intrusions difficult to detect. Financially motivated actors, including ransomware groups FIN11 and Clop, also increased their use of zero-days. These attacks directly challenge the DoD's Zero Trust Strategy, which assumes adversaries are already inside the perimeter and mandates all components achieve "target-level" compliance by fiscal year 2027. Exploiting trusted VPNs and firewalls allows attackers to bypass network-based defenses, reinforcing the Zero Trust tenet of "never trust, always verify" for every access request, regardless of its origin. The User & Identity pillar is a critical control point in this architecture, requiring continuous verification through multi-factor authentication and behavioral analytics. When a perimeter appliance is compromised, identity becomes the primary boundary. A robust Zero Trust implementation must enforce conditional access policies that scrutinize user and device attributes in real-time to block unauthorized lateral movement. For detection engineering in Splunk, analysts can hunt for this activity by creating correlation searches in Enterprise Security that monitor for anomalous authentication events. Ingesting DNS, proxy, and endpoint data into the Common Information Model (CIM) enables the creation of risk-based alerts that can flag, for instance, a user authenticating from a new location and immediately accessing sensitive data. Integrating SIEM capabilities is foundational to the DoD's "Visibility & Analytics" and "Automation & Orchestration" pillars. The framework calls for using Security Orchestration, Automation, and Response (SOAR) platforms to ingest alerts and trigger automated playbooks, such as isolating a device or revoking user credentials when anomalous behavior is detected. To validate these defenses, the DoD is now exploring the use of AI and machine learning to automate "purple team" assessments. These continuous evaluations are designed to test detection and response capabilities against the 91 zero-trust activities that DoD components must implement to meet the 2027 deadline. Looking ahead, AI is expected to accelerate vulnerability discovery and exploit development for attackers. For defenders, this necessitates a shift to proactive, behavior-based security models. AI-powered anomaly detection within a Zero Trust architecture is critical for identifying the subtle signals of a compromise before it leads to a significant breach.