Extended Slovník

Zero-day exploit

A zero-day exploit is a cyberattack that takes advantage of a previously unknown software vulnerability for which the vendor has no patch available. This means developers have zero days to fix the flaw before it can be exploited by attackers.

What is a zero-day exploit in cybersecurity?

A zero-day exploit refers to a method used by attackers to leverage a security flaw in software, hardware, or firmware that is unknown to the vendor or the public. The term "zero-day" signifies that the developers of the vulnerable system have had zero days to prepare and release a fix or patch. Because the vulnerability has not yet been disclosed or addressed, there are no existing defenses, signatures, or updates to protect against it.

Zero-day exploits are considered among the most critical threats in cybersecurity, and they are closely tracked by organizations such as the National Institute of Standards and Technology (NIST), the Cybersecurity and Infrastructure Security Agency (CISA), and the MITRE ATT&CK Framework.

Why are zero-day exploits so dangerous?

Zero-day exploits are particularly dangerous for several key reasons:

  • No available patch: Since the vulnerability is unknown to the vendor, there is no security update or fix that users can apply at the time of the attack.
  • Evasion of traditional defenses: Antivirus software, intrusion detection systems, and firewalls typically rely on known threat signatures. A zero-day exploit, by definition, has no known signature, allowing it to bypass these defenses undetected.
  • High-value targets: Attackers often reserve zero-day exploits for high-value targets such as government agencies, critical infrastructure, financial institutions, and large enterprises, where the potential payoff is greatest.
  • Critical window of opportunity: Attackers can use zero-day exploits to gain unauthorized access, steal sensitive data, install malware, or disrupt operations before security teams even become aware of the vulnerability. This window—from the moment of exploitation to when a patch is released—can last days, weeks, or even months.

Resources from the SANS Institute and the OWASP (Open Web Application Security Project) provide in-depth guidance on mitigating the risks associated with these threats.

How do zero-day exploits work?

The lifecycle of a zero-day exploit typically follows these stages:

  1. Vulnerability discovery: A security flaw is discovered in software, hardware, or firmware—either by independent researchers, threat actors, or state-sponsored groups.
  2. Exploit development: Attackers develop code or a technique to take advantage of the discovered flaw. This exploit is crafted to trigger the vulnerability and execute malicious actions.
  3. Attack deployment: The exploit is used in the wild, targeting specific systems or distributed broadly. Common attack vectors include phishing emails, compromised websites, and malicious downloads.
  4. Detection and disclosure: Security researchers, affected organizations, or the vendor eventually detect the exploit and publicly disclose the vulnerability.
  5. Patch release: The vendor develops and releases a patch or update to remediate the flaw. Users and administrators must then apply the patch to protect their systems.

Real-world examples

  • Operating system exploits: Vulnerabilities in popular operating systems such as Windows, macOS, or Linux are frequently targeted before patches can be released for newly discovered flaws. These attacks can grant attackers elevated privileges or full remote access.
  • Web browser exploits: Vulnerabilities in widely used browsers like Chrome, Firefox, or Safari have been exploited to execute malicious code on a user's machine simply by visiting a compromised website—a technique sometimes known as a drive-by download.

When was the term zero-day exploit coined?

The concept of zero-day exploits emerged alongside the growth of the software industry and the increasing complexity of digital systems. The term became widely used in the cybersecurity community during the late 1990s and early 2000s, as the internet expanded and attack surfaces grew dramatically. While the exact origin of the phrase is difficult to pinpoint, it has its roots in the hacker and warez communities, where "zero-day" originally referred to software or information available on the same day as its release. Over time, it was adopted by the security community to describe vulnerabilities exploited before any fix is available.

Which systems are most vulnerable to zero-day exploits?

While any software or hardware can potentially be affected, certain systems are more commonly targeted:

  • Operating systems: Windows, macOS, Linux, and mobile operating systems (Android, iOS) are high-priority targets due to their massive user bases.
  • Web browsers: Browsers are a primary gateway to the internet and process complex, untrusted content, making them a frequent target.
  • Enterprise software: Applications used in business environments—such as email servers, VPNs, collaboration platforms, and content management systems—are attractive targets because they often have access to sensitive data and internal networks.
  • IoT and embedded devices: Internet of Things devices and firmware in routers, cameras, and industrial control systems are particularly vulnerable because they are often harder to update and may run outdated software.
  • Open-source libraries: Widely used open-source components that are integrated into many applications can become a single point of failure if a zero-day is discovered in them.

Organizations can reduce their exposure by adopting a defense-in-depth strategy, performing regular vulnerability assessments, implementing network segmentation, using endpoint detection and response (EDR) tools, and staying informed through threat intelligence feeds provided by agencies like CISA and frameworks such as MITRE ATT&CK.

← Back to Glossary