What Is a Zero-Day Exploit?

What Is a Zero-Day Exploit?

A zero-day exploit is attack code or a technique that takes advantage of a software vulnerability before the software vendor has released a patch or, in some cases, before the vendor is even aware the vulnerability exists. The term "zero-day" refers to the number of days the vendor has had to develop a fix: zero. When an attacker uses a zero-day exploit, the defending organization has no vendor-supplied patch to apply, no scanner signature to detect the flaw, and limited options for mitigation beyond general security controls and rapid incident response.

Zero-day exploits represent the intersection of two conditions: a previously unknown vulnerability and a working exploitation technique. Both must exist simultaneously. A vulnerability that is known but unpatched is not a zero-day; it is a known vulnerability with a remediation gap. An exploitation technique that targets a patched vulnerability is not a zero-day; it targets organizations that have not applied the available fix. The zero-day designation specifically refers to the window before any fix exists.

The lifecycle of a zero-day moves through several phases. Discovery occurs when a researcher, attacker, or automated tool identifies a previously unknown vulnerability. Exploitation occurs when an attacker develops working code to exploit the vulnerability and uses it against targets. Disclosure occurs when the vulnerability becomes known to the vendor, either through responsible reporting by a researcher, independent discovery by the vendor, or detection of exploitation in the wild. Patch development follows, with the vendor creating and testing a fix. Patch release makes the fix available to all users. After patch release, the vulnerability is no longer a zero-day; it becomes a known vulnerability that organizations manage through standard vulnerability management processes.

Why Zero-Days Are Valuable

Zero-day exploits command premium value in both legitimate and underground markets because they bypass the defenses that protect against known threats. Signature-based antivirus does not detect exploitation of unknown vulnerabilities. Vulnerability scanners do not flag flaws without CVE entries. Patch management processes cannot deploy patches that do not exist. This asymmetry gives attackers a temporary but significant advantage against targets that rely primarily on known-threat defenses.

Nation-state intelligence agencies invest heavily in zero-day capabilities for espionage and offensive operations. Zero-day exploits enable access to targets that have strong patch management and security controls, making them essential tools for intelligence collection against well-defended organizations and governments. The commercial market for zero-day exploits, where companies purchase vulnerabilities from researchers and sell exploit capabilities to government clients, prices individual zero-days from hundreds of thousands to millions of dollars depending on the target platform and the reliability of the exploit.

Cybercriminal organizations use zero-days less frequently because they are expensive and their value depreciates rapidly once used and detected. Criminal groups prefer exploiting known, unpatched vulnerabilities because the pool of vulnerable targets is larger and the exploitation tools are cheaper or free. When criminal groups do use zero-days, it typically indicates high-value targets and sophisticated operations, such as ransomware groups targeting enterprise VPN appliances or supply chain attacks targeting widely used software.

Defending Against Zero-Days

Since zero-day defense cannot rely on patching (no patch exists) or signature-based detection (no signature exists), organizations must use defense-in-depth strategies that reduce exploitability and limit impact regardless of the specific vulnerability being targeted.

Network Segmentation

Network segmentation limits the blast radius of a compromised system. An attacker who exploits a zero-day on a web server can only reach systems accessible from that server's network segment. If the segment is tightly controlled, the attacker's lateral movement is restricted even though the initial exploitation succeeded. Segmentation does not prevent the zero-day from being exploited, but it limits the damage the attacker can do afterward.

Behavioral Detection with EDR

Endpoint detection and response (EDR) tools that use behavioral analysis rather than signature matching can detect exploitation behavior even when the specific vulnerability is unknown. Post-exploitation activities, such as privilege escalation, credential harvesting, lateral movement, and data staging, follow patterns that behavioral detection can identify. EDR does not prevent the initial exploitation but enables rapid detection and response that limits the attacker's dwell time and objectives.

Application-Level Controls

Application-level controls like web application firewalls, input validation, and sandboxing can block exploitation attempts for certain vulnerability classes even when the specific vulnerability is unknown. A WAF that enforces strict input validation may block a zero-day injection attack because the malicious input triggers generic injection rules, not because the WAF knows about the specific vulnerability.

Least-Privilege Access

Least-privilege access reduces the impact of exploitation by limiting what the compromised account or system can reach. If a zero-day compromises a web application running with minimal permissions, the attacker gains access to less than if the application ran with administrative privileges. Applying least-privilege across all systems and users limits the value of any single exploitation, including zero-days.

Zero-Day Response

When a zero-day affecting the organization's technology stack is announced, the response follows a different playbook than standard vulnerability remediation. The immediate steps are: identify all affected systems using the asset inventory and vendor advisory details, assess whether exploitation has already occurred by checking for indicators of compromise provided in the advisory or threat intelligence, implement available vendor mitigations or workarounds (many vendors provide temporary mitigations before patches are ready), apply compensating controls (network restrictions, access limitations, enhanced monitoring) to reduce exploitability, and monitor continuously for exploitation attempts and indicators of compromise.

Patch Deployment

When the vendor releases a patch, deploy it through an emergency patching process that bypasses normal change management timelines. The patching urgency for a zero-day that is being actively exploited justifies the operational risk of expedited deployment. Testing should be compressed but not eliminated: deploy to a limited set of systems first, verify functionality, then expand to the full population as quickly as possible.

Post-Incident Review

Post-incident review after a zero-day event should assess whether the organization's detection capabilities identified exploitation activity, whether compensating controls were effective during the patch gap, and whether the emergency response process functioned smoothly. Lessons learned feed into improved playbooks, detection rules, and compensating control strategies for future zero-day events.

Zero-Days in Context

The media and security industry attention given to zero-days creates a distorted risk perception. While zero-days are genuinely dangerous, they account for a tiny fraction of successful cyberattacks. The vast majority of breaches exploit known, patched vulnerabilities where organizations simply failed to apply available fixes in time. A program that achieves 99% patch coverage for known vulnerabilities with rapid MTTR is better protected against real-world threats than a program with mediocre patching but expensive zero-day detection tools.

Zero-days receive outsized attention because they are novel, dramatic, and make compelling stories. A breach caused by a zero-day in a popular mobile operating system generates headlines. A breach caused by an unpatched VPN appliance with a six-month-old CVE does not. Security leaders communicating risk to boards and executives should contextualize zero-days within the broader threat landscape rather than allowing them to dominate the conversation at the expense of the more common, more preventable threat of unpatched known vulnerabilities.

Organizations that face heightened zero-day risk due to their industry, visibility, or the sensitivity of their data should invest in the defensive layers described above: behavioral detection, network segmentation, least-privilege access, and rapid incident response. These investments also improve defense against known vulnerability exploitation, making them dual-purpose rather than single-purpose investments. Building a defense posture that is resilient regardless of whether the attack uses a zero-day or a known exploit is the most practical approach to managing both threat categories.

Vulnerability management programs should incorporate zero-day response as a documented playbook rather than an ad hoc reaction. The playbook should define who is responsible for monitoring zero-day advisories, how affected assets are identified, what compensating controls are pre-approved for rapid deployment, how emergency patching is triggered when a fix becomes available, and how the incident is reviewed afterward. Having this playbook in place before a zero-day event reduces response time and ensures that the organization's reaction is structured rather than chaotic.

The Zero-Day Market

Zero-day vulnerabilities are traded in multiple markets. The legitimate market includes bug bounty programs (where vendors pay researchers for discovered vulnerabilities), government procurement programs (where intelligence agencies purchase zero-days for offensive capabilities), and commercial exploit brokers (companies that purchase vulnerabilities from researchers and sell exploit capabilities to government clients). Prices in these markets range from thousands of dollars for low-impact vulnerabilities to millions for reliable exploits in widely deployed platforms like iOS, Android, or Windows.

Underground Markets

The underground market operates on dark web forums and through private broker relationships. Criminal organizations purchase zero-day exploits for use in cybercrime operations, though this is less common than using known vulnerabilities because the cost is high and the exploit's value depreciates once used and detected. The existence of these markets means that zero-day vulnerabilities have economic value that incentivizes their discovery, whether by researchers who sell to legitimate programs or by attackers who sell to criminal networks.

Government Stockpiling and the VEP

Government zero-day stockpiling raises policy questions about the Vulnerabilities Equities Process (VEP), the mechanism through which governments decide whether to disclose a discovered vulnerability to the vendor for patching or retain it for intelligence use. The tension between offensive capability (retaining the zero-day for espionage) and defensive responsibility (disclosing it so all users can be protected) has no simple resolution and remains an active area of policy debate in cybersecurity governance.