Extended Slovník

Zero-day vulnerability

A zero-day vulnerability is a software flaw that is unknown to the vendor or public, giving attackers zero days to exploit it before a fix is available, often leading to critical data breaches or system compromise.

A zero-day vulnerability refers to a security flaw in software or hardware that is unknown to the party responsible for patching or fixing the bug — the vendor — and, crucially, also unknown to the general public. The term "zero-day" signifies that there are literally zero days between the time the vulnerability is first discovered (or exploited) and the availability of a patch or fix. This makes zero-day vulnerabilities among the most critical and feared threats in the cybersecurity landscape.

What is a zero-day vulnerability?

A zero-day vulnerability is a previously unknown security flaw in software, firmware, or hardware that has not yet been identified or addressed by the vendor. Because no patch, signature, or workaround exists at the time of discovery or exploitation, defenders have no established means to protect against it.

The lifecycle of a zero-day typically follows these stages:

  1. Introduction: A flaw is inadvertently introduced into a system during development.
  2. Discovery: The flaw is discovered by a researcher, attacker, or third party — but remains unknown to the vendor.
  3. Exploitation: Attackers develop and deploy a zero-day exploit — code or techniques designed to take advantage of the vulnerability.
  4. Disclosure: The vulnerability is reported to the vendor or publicly disclosed.
  5. Patch release: The vendor develops and distributes a fix.

Once a patch is released, the vulnerability ceases to be a "zero-day" and becomes a known vulnerability (sometimes referred to as an N-day vulnerability). Organizations like NIST and CVE (Common Vulnerabilities and Exposures) catalog and track these once they become public.

Why are zero-day vulnerabilities so dangerous?

Zero-day vulnerabilities are exceptionally dangerous for several reasons:

  • No existing defense: Because the flaw is unknown, there are no patches, antivirus signatures, or intrusion detection rules to detect or prevent exploitation.
  • Stealth: Attacks leveraging zero-days can go undetected for extended periods — weeks, months, or even years — allowing attackers to maintain persistent access to compromised systems.
  • High value in the underground market: Zero-day exploits are highly coveted in the cybercriminal underground and by state-sponsored actors. They can sell for hundreds of thousands to millions of dollars on black markets and through brokers.
  • Broad impact: A single zero-day in widely used software (such as an operating system, browser, or cryptographic library) can potentially affect millions of devices and users worldwide.
  • Supply chain risks: Zero-days in third-party libraries or components can propagate vulnerabilities across countless downstream applications and services.

Leading cybersecurity research firms such as Mandiant and CrowdStrike regularly report on the increasing frequency and sophistication of zero-day exploitation campaigns.

How do zero-day vulnerabilities work?

The exploitation of a zero-day vulnerability typically involves the following process:

  1. Discovery: An attacker (or researcher) identifies a flaw — such as a buffer overflow, logic error, or improper input validation — in a piece of software or hardware.
  2. Exploit development: The attacker crafts a specific payload or technique designed to trigger the vulnerability and achieve a desired outcome, such as remote code execution, privilege escalation, or data exfiltration.
  3. Delivery: The exploit is delivered to the target through various vectors, including phishing emails, malicious websites, compromised software updates, or direct network attacks.
  4. Execution: Once the exploit reaches the vulnerable system, it triggers the flaw and executes the attacker's malicious code or commands.
  5. Post-exploitation: The attacker may install backdoors, move laterally within a network, steal data, or deploy additional malware.

Real-world examples

  • Stuxnet worm (2010): One of the most notorious cases of zero-day exploitation. Stuxnet exploited multiple zero-day vulnerabilities in Microsoft Windows and Siemens industrial control systems (SCADA). It was primarily designed to sabotage Iran's nuclear enrichment program and is widely attributed to a joint U.S.-Israeli operation. The sophistication of Stuxnet demonstrated the devastating potential of zero-day exploits in critical infrastructure.
  • Heartbleed bug (2014): A critical zero-day vulnerability (CVE-2014-0160) in OpenSSL's cryptography library. The flaw allowed attackers to read sensitive memory contents from servers — including private keys, passwords, and session tokens — without leaving any trace. Because OpenSSL was used by an enormous number of web servers, the impact was global.

When was the first zero-day vulnerability discovered?

The concept of zero-day vulnerabilities has existed since the early days of computing, though the term itself became popularized in the 1990s within hacker and bulletin board system (BBS) communities. Early software security flaws were routinely exploited before vendors became aware of them, but formal tracking and classification did not begin until organizations like NIST's National Vulnerability Database (NVD) and the CVE program were established in the late 1990s and early 2000s.

One of the earliest widely recognized zero-day events was the Morris Worm of 1988, which exploited previously unknown vulnerabilities in Unix systems — though the term "zero-day" was not yet in common use at that time. Since then, the frequency and impact of zero-day discoveries have increased dramatically, driven by the growth of the internet, the complexity of modern software, and the professionalization of cyber threat actors.

Which systems are most susceptible to zero-day vulnerabilities?

While any software or hardware can harbor a zero-day vulnerability, certain categories of systems are disproportionately targeted:

  • Operating systems: Windows, macOS, Linux, iOS, and Android are high-value targets due to their massive user bases.
  • Web browsers: Chrome, Firefox, Safari, and Edge are frequent targets because they are the primary interface between users and the internet.
  • Enterprise software: Email servers (e.g., Microsoft Exchange), VPN appliances, and collaboration tools are prime targets for advanced persistent threat (APT) groups.
  • Widely used libraries and frameworks: Open-source components like OpenSSL, Apache Log4j, and similar libraries can introduce vulnerabilities across thousands of dependent applications.
  • Industrial control systems (ICS/SCADA): As demonstrated by Stuxnet, critical infrastructure systems are increasingly targeted, often with catastrophic potential.
  • IoT devices: Internet of Things devices frequently suffer from poor security hygiene and infrequent updates, making them fertile ground for zero-day exploitation.

Organizations are advised to adopt layered defense strategies — including behavior-based detection, network segmentation, regular threat intelligence updates from agencies like CISA, and participation in bug bounty programs — to reduce their exposure and improve response times when zero-day vulnerabilities are discovered.

← Back to Glossary