A zero-day exploit targets a vulnerability that nobody has fixed yet — because nobody knew it existed. Here’s what that means and why it matters to everyone.
In cybersecurity, most attacks follow a predictable pattern. A vulnerability is discovered, a patch is issued, and organizations race to apply it before someone exploits the gap. The system is imperfect, but it has a logic: find the hole, fix the hole, move on.
Zero-day exploits break that logic entirely.
A zero-day exploit is a cyberattack that targets a software vulnerability that the vendor — and therefore the security community — does not yet know exists. There is no patch available because there is no awareness of the problem. Defenders cannot protect against something they cannot see. And attackers, if they find such a vulnerability before anyone else does, have an open window of access for as long as it takes the software maker to discover, develop, and distribute a fix.
The name comes from that timeline. The developer has had zero days to address the problem.
How a Zero-Day Works
Every piece of software — operating systems, browsers, enterprise applications, firmware, mobile apps — is written by humans, which means every piece of software contains flaws. Most of those flaws are found and fixed through routine security audits, bug bounty programs, and the work of researchers who report their findings responsibly to vendors. That process, known as coordinated disclosure, is the foundation of how the software industry manages its vulnerability backlog.
But some flaws are found by people with no interest in reporting them. Nation-state intelligence agencies, criminal organizations, and individual hackers all have strong incentives to quietly hold onto a zero-day rather than disclose it. A vulnerability that nobody else knows about is extraordinarily valuable — it can be used to breach targets without triggering any of the signature-based detection systems that rely on known attack patterns. It can be sold. It can be stockpiled.
The attack chain typically works as follows. The attacker identifies the vulnerability — through their own research, by purchasing it on a dark web marketplace, or in some cases by reverse-engineering a patch for a related flaw and finding the unpatched adjacent weakness. They then develop an exploit: a piece of code specifically crafted to take advantage of the vulnerability. That exploit is deployed against the target, often through a delivery mechanism like a phishing email, a malicious website, or a compromised software update. Because the vulnerability is unknown, the target’s security tools have nothing to match it against.
By the time the attack is detected — if it is detected at all — the attacker may have been inside the system for days, weeks, or months.
Who Uses Zero-Days and Why
Zero-day exploits are not equally distributed. Developing or acquiring one requires significant technical sophistication and, increasingly, significant money. In 2024, a zero-day exploit for a major mobile operating system was listed on one exploit broker’s price list at up to $2.5 million. That pricing reflects both the rarity of the vulnerability and the value of what it can access.
Nation-state actors are the most prolific users. The NSA’s ETERNAL BLUE exploit — which targeted a vulnerability in Microsoft’s SMB protocol — was developed as a classified tool before being stolen and leaked by a group called the Shadow Brokers in 2017. It was subsequently weaponized in the WannaCry ransomware attack, which caused an estimated $4 billion in damages across 150 countries. A vulnerability developed for intelligence collection had become, in the wrong hands, a global infrastructure crisis.
Sophisticated criminal organizations use zero-days for ransomware campaigns and financial fraud. Cyber mercenary firms — companies that sell offensive hacking capabilities to government clients — maintain libraries of zero-day exploits as core commercial assets. And in some cases, well-resourced corporate competitors have been implicated in zero-day-enabled espionage.
The targets are rarely random. Zero-days are expensive to acquire and use. Attackers with access to them tend to deploy them against high-value targets: critical infrastructure, financial institutions, government agencies, defense contractors, and large enterprises with valuable intellectual property.
The Window Between Discovery and Patch
When a zero-day is eventually discovered — either because an attack is detected, a researcher finds it independently, or a vendor’s own audit surfaces it — the clock starts on what the industry calls the patch gap. The software maker must confirm the vulnerability, develop a fix, test it across the range of affected systems and configurations, and distribute it to users. That process takes time, and during that time the vulnerability remains exploitable.
The average time between vulnerability disclosure and patch availability has historically been around 60 days. For complex vulnerabilities in widely deployed systems, it can be longer. And even after a patch is released, the window doesn’t close immediately — organizations must actually apply the patch, a process that in large enterprises can take weeks or months due to testing requirements, change management processes, and the sheer scale of systems that need updating.
This is why zero-days that become public — through leaks, independent discovery, or vendor disclosure — often trigger a race. Attackers who weren’t previously aware of the vulnerability now have a blueprint. Defenders are racing to patch before attackers exploit the published details. The period between public disclosure and widespread patching is sometimes called the n-day window, and it is one of the most dangerous periods in any organization’s security calendar.
Why Zero-Days Are Getting More Dangerous
Several converging trends are making zero-day risk more acute.
The attack surface is expanding. Every connected device — from enterprise servers to smart building systems to the operational technology that runs manufacturing plants and power grids — is a potential target. As organizations add more software, more integrations, and more connected infrastructure, the number of potential vulnerabilities grows in proportion.
AI is accelerating both sides of the equation. Security researchers are using AI to find vulnerabilities faster, which should, in theory, mean faster disclosure and faster patching. But attackers are using the same tools to scan for vulnerabilities at scale, automate exploit development, and identify targets with known unpatched systems more efficiently than was previously possible. Google’s Project Zero reported in 2024 that AI-assisted vulnerability research was already changing the pace at which both defenders and attackers operate.
The market for zero-days is maturing. Exploit brokers — companies that legally buy and sell vulnerability information — have created a functioning commercial market. Zerodium, one of the most prominent, publishes public price lists for exploits across different platforms and operating systems. That market creates financial incentives to find and hold zero-days rather than disclose them responsibly, and it means that well-funded actors have reliable channels for acquiring capabilities they couldn’t develop themselves.
What Organizations Can Do
No defense eliminates zero-day risk entirely — by definition, you cannot patch a vulnerability you don’t know about. But organizations can significantly reduce their exposure through a combination of architectural and operational practices.
Network segmentation limits the blast radius of a successful exploit by preventing attackers who gain access to one system from moving freely across the entire environment. The principle of least privilege — ensuring that every user, application, and system has access only to what it strictly needs — reduces what an attacker can do once inside. Behavioral detection systems, which look for anomalous activity patterns rather than known attack signatures, can catch zero-day exploits that bypass signature-based tools.
Threat intelligence programs that monitor dark web markets and track the activities of known threat actors can provide early warning when zero-days targeting specific software are being traded or discussed. Vendor relationship management — maintaining direct communication channels with the software makers whose products you depend on — can accelerate access to emergency patches when a critical vulnerability is disclosed.
And perhaps most importantly, a culture of rapid patching. The majority of successful cyberattacks do not use zero-days — they use known vulnerabilities for which patches have been available for months or years. Organizations that patch quickly, consistently, and comprehensively are significantly harder targets, and they also reduce the damage from the moment a zero-day becomes a known vulnerability and the n-day race begins.
The Honest Bottom Line
Zero-day exploits represent the sharpest edge of the threat landscape — expensive, rare, and extraordinarily effective in the right hands. Most organizations will never face a sophisticated zero-day attack. But the infrastructure and practices that reduce zero-day exposure are the same ones that reduce exposure to every other category of threat.
The goal is not to make your organization impenetrable. It is to make your organization a harder target than the alternative — and to be able to detect, contain, and recover when something gets through anyway.
In cybersecurity, the zero-day is a reminder that the attacker only needs to find one door you didn’t know existed. Defense is the work of building fewer doors, watching them more carefully, and being ready for the ones you missed.
