What Is a Zero-Day Vulnerability? How Zero-Days Work and Famous Examples

## What Is a Zero-Day Vulnerability?

A zero-day vulnerability is a software security flaw that is unknown to the software vendor and has no available patch or fix. The term zero-day refers to the fact that the vendor has had zero days to fix the problem since they do not know it exists. Zero-day vulnerabilities are the most dangerous type of security flaw because there is no defense against them until the vendor discovers and patches them.

When attackers discover a zero-day before the vendor does, they create zero-day exploits — attack code that takes advantage of the vulnerability. Zero-day exploits are worth $100,000 to $2.5 million on the commercial exploit market, making them among the most valuable digital commodities in existence.

Google Project Zero reported 97 zero-day vulnerabilities exploited in the wild in 2023, up from 62 in 2022. The number continues to rise annually as software complexity increases.

*Last updated: March 31, 2026*

## How Zero-Day Vulnerabilities Work

The lifecycle of a zero-day follows a specific pattern.

**Discovery.** A security researcher, government agency, or malicious attacker discovers a flaw in software. The flaw might be a buffer overflow, an injection vulnerability, a logic error, a memory corruption bug, or an authentication bypass. At this moment the vendor does not know the flaw exists.

**Exploitation.** If a malicious attacker discovers the flaw first, they develop exploit code and begin using it against targets. This is the zero-day exploit phase — the most dangerous window because no patch exists and most security tools cannot detect the attack since there are no known signatures.

**Detection.** The attack is eventually detected through anomalous behavior, [incident response](https://ethicalhacking.ai/blog/incident-response-guide-2026) investigations, threat intelligence sharing, or independent discovery by security researchers. This can happen days, months, or even years after exploitation begins.

**Disclosure.** The vulnerability is reported to the vendor through responsible disclosure or publicly revealed. The clock starts ticking.

**Patch.** The vendor develops and releases a patch. Until users apply the patch, they remain vulnerable. Even after a patch is available, many organizations take weeks or months to deploy updates, leaving a window of exposure.

## Zero-Day Timeline

| Phase | Duration | Who Knows | Risk Level | |-------|----------|-----------|------------| | Vulnerability exists undiscovered | Months to years | Nobody | Unknown risk | | Attacker discovers and exploits | Days to months | Attacker only | Critical - no defense | | Security community detects attacks | Days to weeks | Attacker plus defenders | Critical - no patch | | Vendor notified and develops patch | Days to weeks | Public | High - patch not deployed | | Patch released | One day | Public | High - many unpatched | | Organizations apply patch | Weeks to months | Public | Decreasing over time |

The most dangerous period is between attacker discovery and patch release — this window can range from days to over a year. During this time, the attacker has free access to exploit the vulnerability with no available defense.

## Famous Zero-Day Attacks

### Log4Shell (CVE-2021-44228) - December 2021

Log4Shell was a critical zero-day in Apache Log4j, an open-source logging library used in hundreds of millions of systems worldwide including applications from Apple, Amazon, Cloudflare, Twitter, Steam, and Minecraft. The vulnerability allowed remote code execution by simply sending a specially crafted text string to any application using Log4j. An attacker could take complete control of a server by sending a single malicious log message.

**Impact:** CVSS score 10.0 out of 10 (maximum severity). Affected an estimated 93% of enterprise cloud environments. Exploitation began within hours of public disclosure and continues years later against unpatched systems.

### EternalBlue (CVE-2017-0144) - April 2017

EternalBlue was a zero-day exploit in Windows SMB protocol developed by the NSA and leaked by the Shadow Brokers group. It allowed remote code execution on any unpatched Windows system without authentication.

**Impact:** EternalBlue powered the WannaCry [ransomware](https://ethicalhacking.ai/blog/what-is-ransomware) attack in May 2017 that infected over 230,000 computers across 150 countries, shutting down hospitals, factories, and government agencies. It also powered the NotPetya attack which caused over $10 billion in damages globally. EternalBlue remains one of the most exploited vulnerabilities years later on unpatched legacy systems.

### Stuxnet - Discovered 2010

Stuxnet was a sophisticated cyberweapon that used four separate zero-day vulnerabilities in Windows to target Iran nuclear centrifuges. It spread via USB drives, propagated through networks, and specifically targeted Siemens industrial control systems to sabotage uranium enrichment equipment.

**Impact:** Stuxnet destroyed approximately 1,000 Iranian nuclear centrifuges and set the nuclear program back years. It demonstrated that zero-day exploits could cause physical destruction of industrial equipment. Widely attributed to a joint US-Israel operation, Stuxnet changed the landscape of cyber warfare permanently.

### MOVEit Transfer (CVE-2023-34362) - June 2023

The Cl0p ransomware group exploited a zero-day SQL injection vulnerability in MOVEit Transfer, a widely used file transfer solution. They exfiltrated data from over 2,500 organizations before the vulnerability was publicly known or patched.

**Impact:** Affected organizations included Shell, British Airways, the BBC, Johns Hopkins University, and multiple US government agencies. Over 90 million individuals had personal data exposed. This attack demonstrated how a single zero-day in a widely deployed enterprise tool can create a mass exploitation event.

### Pegasus / NSO Group - Ongoing

NSO Group sells the Pegasus spyware platform which uses chains of zero-day exploits in iOS and Android to remotely compromise smartphones without any user interaction — so-called zero-click exploits. Simply receiving a specially crafted iMessage or WhatsApp call is sufficient for complete device compromise.

**Impact:** Pegasus has been used to target journalists, human rights activists, politicians, and dissidents worldwide. Apple, Google, and WhatsApp have all filed lawsuits against NSO Group. Pegasus demonstrates the extreme value of mobile zero-days — iPhone zero-click exploit chains reportedly sell for $2-2.5 million.

## How Zero-Days Are Discovered

Zero-days are found through several channels with very different motivations and outcomes.

**Security researchers and bug bounties.** Ethical researchers find vulnerabilities and report them to vendors through responsible disclosure. Companies like Google, Apple, and Microsoft pay bounties ranging from $5,000 to $250,000+ for critical zero-days. Google Project Zero is a dedicated team that finds zero-days in widely used software and gives vendors 90 days to patch before public disclosure. [Bug bounty platforms](https://ethicalhacking.ai/blog/bug-bounty-hunting-guide-2026) like HackerOne and Bugcrowd facilitate this process.

**Government agencies.** Intelligence agencies including the NSA, GCHQ, and their equivalents worldwide discover and stockpile zero-days for offensive cyber operations. The debate over whether governments should disclose zero-days to vendors (making everyone safer) or hoard them for intelligence purposes (maintaining offensive capability) is known as the Vulnerability Equities Process.

**Criminal hackers.** Cybercriminal groups discover or purchase zero-days for financial gain through [ransomware](https://ethicalhacking.ai/blog/what-is-ransomware), data theft, and espionage. The Cl0p group that exploited the MOVEit zero-day is an example of criminal zero-day exploitation.

**Exploit brokers.** Companies like Zerodium and Crowdfense operate as middlemen, purchasing zero-day exploits from researchers and selling them to government clients. Published price lists show the market value of different exploit types.

## Zero-Day Exploit Market Prices

| Target | Exploit Type | Approximate Value | |--------|-------------|------------------| | iPhone (iOS) | Zero-click remote code execution | $1,500,000 - $2,500,000 | | Android | Zero-click remote code execution | $1,000,000 - $2,500,000 | | Windows | Remote code execution | $500,000 - $1,000,000 | | Chrome | Full chain sandbox escape | $400,000 - $600,000 | | WhatsApp/iMessage | Zero-click with persistence | $1,000,000 - $1,500,000 | | Apache/Nginx | Remote code execution | $100,000 - $250,000 | | WordPress | Remote code execution | $50,000 - $100,000 |

These prices reflect the commercial exploit market. Bug bounty payouts from vendors are typically 10-50x lower than what exploit brokers pay, which creates an economic tension — researchers can earn far more selling to brokers than reporting to vendors, though ethical considerations lead most researchers to choose responsible disclosure.

## How to Defend Against Zero-Day Attacks

Zero-days cannot be prevented entirely because by definition they exploit unknown flaws. However, organizations can dramatically reduce their risk and limit the impact.

**Defense in depth.** Layer multiple security controls so that no single vulnerability leads to complete compromise. Combine firewalls, [EDR/XDR](https://ethicalhacking.ai/blog/best-edr-xdr-tools-2026), network segmentation, [email security](https://ethicalhacking.ai/blog/best-email-security-tools-2026), and [SIEM monitoring](https://ethicalhacking.ai/blog/best-siem-tools-2026). A zero-day that bypasses one layer may be detected or blocked by another.

**Behavioral detection over signature detection.** Traditional antivirus relies on known signatures which cannot detect zero-day exploits. Modern [EDR tools](https://ethicalhacking.ai/blog/best-edr-xdr-tools-2026) like [CrowdStrike](https://ethicalhacking.ai/tools/crowdstrike-charlotte) and [SentinelOne](https://ethicalhacking.ai/tools/sentinelone-singularity) use AI and behavioral analysis to detect anomalous process execution, unusual memory access patterns, and suspicious system calls regardless of whether the specific exploit is known.

**Patch rapidly when fixes are available.** While you cannot patch a zero-day before the fix exists, you can minimize your exposure window by patching within hours or days of release rather than weeks or months. Organizations that patched Log4Shell within 48 hours avoided the mass exploitation wave. Use [vulnerability scanners](https://ethicalhacking.ai/blog/best-vulnerability-scanners-2026) to identify unpatched systems.

**Network segmentation and zero trust.** [Zero trust architecture](https://ethicalhacking.ai/blog/what-is-zero-trust-security) limits the blast radius of any zero-day exploit. Even if an attacker gains initial access through a zero-day, microsegmentation prevents lateral movement to critical systems.

**Reduce attack surface.** Remove unnecessary software, disable unused services, restrict administrative privileges, and minimize internet-facing systems. Every piece of software is a potential zero-day target. The less software running, the fewer potential vulnerabilities.

**Threat intelligence.** Subscribe to [threat intelligence](https://ethicalhacking.ai/blog/what-is-threat-intelligence) feeds that provide early warning about actively exploited vulnerabilities. CISA maintains a Known Exploited Vulnerabilities catalog that should be monitored continuously. Security teams should track advisories from Google Project Zero, Microsoft Security Response Center, and Apple security updates.

## Zero-Days in Cybersecurity Careers

Zero-day research and defense spans multiple career paths. Vulnerability researchers and exploit developers discover and analyze zero-days, requiring deep knowledge of [reverse engineering](https://ethicalhacking.ai/tools/ghidra), assembly language, and operating system internals. [Penetration testers](https://ethicalhacking.ai/blog/what-is-penetration-testing-beginners-guide) test for known vulnerabilities and occasionally discover new ones during engagements. [SOC analysts](https://ethicalhacking.ai/blog/what-is-soc-analyst) detect zero-day exploitation through behavioral analysis and anomaly detection. [Incident responders](https://ethicalhacking.ai/blog/incident-response-guide-2026) investigate breaches that may involve zero-day exploitation. [Malware analysts](https://ethicalhacking.ai/blog/what-is-malware-analysis) reverse engineer exploit code to understand zero-day attack mechanisms.

The [OSCP certification](https://ethicalhacking.ai/blog/oscp-certification-guide-2026) and GIAC GXPN (Exploit Researcher and Advanced Penetration Tester) are relevant certifications for professionals interested in vulnerability research.

## Frequently Asked Questions

### What is the difference between a zero-day vulnerability and a zero-day exploit?

A zero-day vulnerability is the software flaw itself — a bug in code that could be exploited. A zero-day exploit is the actual attack code written to take advantage of that vulnerability. A vulnerability can exist without an exploit, but an exploit requires a vulnerability. The vulnerability is the door and the exploit is the key.

### How common are zero-day attacks?

Google Project Zero tracked 97 zero-days exploited in the wild in 2023 and the number has increased annually. However, zero-days represent a tiny fraction of total attacks. The vast majority of successful breaches exploit known, patched vulnerabilities that organizations failed to update. Zero-days are high-impact but relatively rare compared to attacks using known CVEs.

### Can antivirus detect zero-day exploits?

Traditional signature-based antivirus cannot detect zero-days because there are no known signatures to match. However, modern [EDR and XDR tools](https://ethicalhacking.ai/blog/best-edr-xdr-tools-2026) use behavioral analysis, machine learning, and heuristic detection to identify suspicious activity patterns regardless of whether the specific exploit is known. This is why behavioral endpoint protection has replaced traditional antivirus in enterprise environments.

### What does CVSS score mean for zero-days?

CVSS (Common Vulnerability Scoring System) rates vulnerabilities from 0.0 to 10.0 based on attack complexity, required privileges, user interaction, and impact on confidentiality, integrity, and availability. Critical vulnerabilities score 9.0-10.0 and require immediate patching. Log4Shell scored a perfect 10.0. Not all zero-days are critical — some require specific conditions or limited impact.

### How do I report a zero-day I discovered?

Report it to the vendor through their security disclosure program. Most major companies have vulnerability disclosure policies on their websites. Do not disclose publicly before the vendor has time to patch. Standard responsible disclosure gives vendors 90 days to fix the issue before public disclosure. If the vendor is unresponsive, organizations like CERT/CC can help coordinate disclosure. Depending on the vendor, you may also earn a [bug bounty](https://ethicalhacking.ai/blog/bug-bounty-hunting-guide-2026) reward.

### Can I protect myself from zero-day attacks as an individual?

Keep all software updated to receive patches as soon as they are released. Use a modern browser with automatic updates. Enable [two-factor authentication](https://ethicalhacking.ai/blog/what-is-two-factor-authentication) on all accounts. Use an EDR-capable antivirus rather than traditional signature-based antivirus. Be cautious with email attachments and links to reduce exposure to zero-day delivery mechanisms like [phishing](https://ethicalhacking.ai/blog/what-is-phishing). No defense is perfect against zero-days, but these steps significantly reduce your risk.