Zero-Day Exploits Explained: Detection, Defense, and Notable Examples

Zero-day exploits represent one of the most significant and persistent challenges in cybersecurity. They target vulnerabilities that the software vendor does not yet know about, leaving defenders with no patch, no signature, and no advance warning. For nation-states, criminal organizations, and commercial exploit brokers, zero-days are among the most valuable weapons in the cyber arsenal. For defenders, understanding how zero-days work — and how to mitigate the risk they pose — is essential to building a resilient security program.

What Is a Zero-Day Exploit?

The term "zero-day" refers to the fact that the software vendor has had zero days to fix the vulnerability. There is no patch available at the time of exploitation. But the term is used loosely in the industry, and it is important to distinguish between three related but distinct concepts.

A zero-day vulnerability may exist in software for years without being discovered. It becomes a zero-day exploit when someone develops working code to take advantage of it. And it becomes a zero-day attack only when that exploit is deployed against a real target. The distinction matters because a vulnerability without a known exploit poses a different risk profile than one that is actively being used in attacks.

Zero-day vulnerabilities can exist in any type of software: operating systems, web browsers, enterprise applications, firmware, network devices, mobile platforms, and open-source libraries. The more widely deployed the software, the more valuable a zero-day exploit for it tends to be — because the potential target base is larger and the impact of exploitation is greater.

The Zero-Day Lifecycle

Every zero-day follows a lifecycle from discovery to eventual remediation. Understanding this lifecycle helps organizations appreciate the window of exposure they face and the urgency of each phase.

1. Discovery

Someone — a security researcher, a nation-state intelligence agency, a criminal group, or an internal development team — discovers a previously unknown vulnerability in a piece of software. At this point, the vendor is unaware. The vulnerability exists silently, and the discoverer must decide what to do with it.

2. Exploitation

If the discoverer (or someone they sell or share the vulnerability with) develops a working exploit, the zero-day enters the exploitation phase. The exploit may be used in targeted attacks against specific organizations, deployed broadly for financial gain, or held in reserve for future operations. During this phase, defenders have no vendor-provided mitigation. The average time a zero-day remains exploited before discovery has been estimated at over 300 days in some studies, though this varies widely.

3. Disclosure

The vulnerability is disclosed to the vendor, either through responsible disclosure by a researcher, discovery by the vendor's own security team, or detection by a third party such as a cybersecurity firm that observes the exploit in the wild. Public disclosure may or may not happen simultaneously — coordinated vulnerability disclosure practices aim to give the vendor time to develop a patch before public announcement.

4. Patch and Remediation

The vendor develops and releases a patch. Once the patch is available, the vulnerability is technically no longer a zero-day — but the risk does not end there. Organizations must still apply the patch, and many are slow to do so. The period between patch availability and widespread patch adoption is one of the most dangerous, because attackers can reverse-engineer the patch to develop exploits targeting unpatched systems.

Who Discovers Zero-Days?

Zero-day vulnerabilities are discovered by a range of actors with very different motivations, resources, and disclosure practices.

• Security researchers and academics discover zero-days through fuzzing, code auditing, reverse engineering, and other technical analysis. Many follow responsible disclosure practices, reporting vulnerabilities to vendors and coordinating public disclosure.
• Nation-state intelligence agencies invest heavily in discovering and stockpiling zero-days for use in cyber operations. Agencies such as the NSA (United States), GCHQ (United Kingdom), Unit 8200 (Israel), and their counterparts in Russia, China, and other nations maintain dedicated vulnerability research teams.
• Commercial exploit brokers such as Zerodium and Crowdfense purchase zero-day exploits from independent researchers and sell them to government clients. These brokers operate in a legal gray area, facilitating the weaponization of vulnerabilities by state actors.
• Criminal organizations discover or acquire zero-days for use in ransomware campaigns, financial fraud, and other criminal operations. The commoditization of exploit development has made zero-days increasingly accessible to sophisticated criminal groups.
• Software vendors themselves discover zero-days through internal security audits, bug bounty programs, and automated testing as part of their secure development lifecycle.

The Zero-Day Market

A complex and opaque market exists around zero-day vulnerabilities, spanning legitimate bug bounty programs, gray-market brokers, and underground criminal forums. Understanding this market provides insight into the economics that drive zero-day discovery and exploitation.

Bug Bounty Programs

Major technology companies operate bug bounty programs that pay researchers for responsibly disclosing vulnerabilities. Google, Microsoft, Apple, and others offer payouts that can reach hundreds of thousands of dollars for critical vulnerabilities. Google's Vulnerability Reward Program, for example, has paid out tens of millions of dollars since its inception. These programs incentivize responsible disclosure and represent the "white market" for vulnerability information.

Gray Market Brokers

Companies such as Zerodium publicly advertise prices for zero-day exploits: up to $2.5 million for a full chain iOS zero-click exploit, $2 million for an Android equivalent, and $1 million for Chrome or Safari remote code execution. These brokers sell exclusively to government agencies and law enforcement, but the lack of transparency about their clients and end use raises significant ethical concerns.

Government Programs

Many governments maintain their own vulnerability research programs and also purchase zero-days from brokers and contractors. The U.S. government's Vulnerabilities Equities Process (VEP) is a framework for deciding whether to disclose discovered vulnerabilities to vendors or retain them for intelligence purposes. The tension between offensive capability and defensive security is a persistent policy debate in every nation with significant cyber capabilities.

Notable Zero-Day Examples

Examining real-world zero-day exploits illustrates the range of actors, targets, and consequences involved. The following examples are among the most significant in cybersecurity history.

Stuxnet (2010)

Stuxnet was a sophisticated worm widely attributed to the United States and Israel that targeted Iran's uranium enrichment facilities. It exploited four separate zero-day vulnerabilities in Windows and Siemens SCADA software to sabotage industrial centrifuges. Stuxnet was a watershed moment — the first publicly known cyberweapon designed to cause physical destruction. It demonstrated that zero-day exploits could be chained together for strategic geopolitical objectives and fundamentally changed how the world understood cyber warfare.

EternalBlue (2017)

EternalBlue was an exploit for a vulnerability in Microsoft's SMB protocol (CVE-2017-0144), developed by the NSA and leaked by the Shadow Brokers group. It was subsequently weaponized in the WannaCry ransomware attack that affected over 200,000 systems across 150 countries, and in the NotPetya attack that caused an estimated $10 billion in damages globally. EternalBlue demonstrated the catastrophic consequences of stockpiled zero-days falling into the wrong hands and remains one of the strongest arguments for vulnerability disclosure over retention.

Log4Shell (2021)

Log4Shell (CVE-2021-44228) was a critical remote code execution vulnerability in Apache Log4j, a ubiquitous Java logging library embedded in millions of applications worldwide. Its severity — a CVSS score of 10.0, trivial to exploit, and present in an enormous number of systems — made it one of the most impactful vulnerabilities ever disclosed. Exploitation began almost immediately after public disclosure, and organizations struggled for months to identify all affected systems. Log4Shell exposed the deep risks of software supply chain dependencies.

SolarWinds (2020)

The SolarWinds attack, attributed to Russia's SVR intelligence service (tracked as APT29 or Cozy Bear), compromised the build system for SolarWinds Orion, a widely used IT management platform. The attackers inserted a backdoor into a legitimate software update that was distributed to approximately 18,000 organizations, including multiple U.S. government agencies and major corporations. While not a traditional zero-day exploit in the vulnerability sense, the campaign exploited the implicit trust in the software supply chain — a zero-day in process rather than in code.

Chrome Zero-Days

Google's Chrome browser has been a frequent target for zero-day exploitation, with Google's Threat Analysis Group (TAG) regularly reporting in-the-wild zero-days targeting Chrome's V8 JavaScript engine, its rendering pipeline, and its sandbox. In 2021 alone, Google patched 17 zero-day vulnerabilities in Chrome that were actively exploited. Many of these were attributed to commercial spyware vendors and nation-state actors targeting journalists, dissidents, and government officials.

iOS Zero-Click Exploits

Some of the most sophisticated zero-day exploits discovered in recent years target Apple's iOS with zero-click capabilities — meaning they require no user interaction to compromise a device. The NSO Group's Pegasus spyware exploited zero-click vulnerabilities in iMessage to silently compromise iPhones, gaining full access to messages, calls, cameras, and microphones. Citizen Lab and Google Project Zero have documented multiple such exploit chains, revealing the extraordinary technical sophistication of the commercial spyware industry and its implications for press freedom, human rights, and diplomatic security.

How Organizations Detect Zero-Days

By definition, zero-day exploits evade signature-based detection because no signature exists. Detecting zero-day exploitation requires techniques that identify malicious behavior rather than known indicators. The following approaches form the foundation of zero-day detection.

Behavioral Analysis

Rather than looking for known malware signatures, behavioral analysis monitors systems for anomalous activity that could indicate exploitation: unexpected process creation, unusual network connections, privilege escalation attempts, abnormal file system modifications, and other behaviors that deviate from established baselines. Modern endpoint detection and response (EDR) platforms rely heavily on behavioral heuristics to identify previously unseen threats.

Endpoint Detection and Response (EDR)

EDR solutions continuously monitor endpoint activity and provide the telemetry needed to detect and investigate potential zero-day exploitation. By collecting detailed data about process execution, file operations, registry changes, and network activity, EDR enables security teams to identify suspicious patterns that may indicate a novel exploit. Leading EDR platforms incorporate machine learning models trained on large datasets of malicious and benign behavior to flag anomalies.

Threat Hunting

Proactive threat hunting involves security analysts forming hypotheses about how an attacker might operate and then searching for evidence of that activity in their environment. Threat hunters use knowledge of adversary TTPs, threat intelligence, and anomaly detection to find threats that automated tools miss. Hunting is particularly valuable for zero-day detection because it does not depend on prior knowledge of the specific exploit.

Anomaly Detection and Network Analysis

Network-level anomaly detection identifies unusual traffic patterns, unexpected data exfiltration, command-and-control communications, and lateral movement that may indicate zero-day exploitation. Network detection and response (NDR) platforms analyze traffic metadata and content to identify threats that evade endpoint-level controls, providing an additional layer of visibility.

Defense-in-Depth Against Unknown Threats

No single technology can prevent zero-day exploitation. The most effective strategy is defense-in-depth — layering multiple, independent security controls so that the failure of any single layer does not result in a complete compromise. The following principles are foundational.

• Least privilege: Limit user and application permissions to the minimum necessary. If a zero-day exploit compromises a low-privilege process, the blast radius is contained.
• Network segmentation: Divide networks into isolated zones so that compromise of one segment does not provide unfettered access to others. Microsegmentation further limits lateral movement.
• Application whitelisting: Restrict execution to approved applications. This prevents unknown exploit payloads from running even if an initial vulnerability is successfully triggered.
• Sandboxing and isolation: Run untrusted code and content in sandboxed environments. Browser sandboxing, container isolation, and virtual machine boundaries can contain the impact of exploitation.
• Zero trust architecture: Verify every access request regardless of network location. Zero trust assumes breach and enforces continuous authentication and authorization, limiting what an attacker can achieve even after initial compromise.
• Robust logging and monitoring: Comprehensive logging across endpoints, networks, and applications provides the data needed to detect and investigate zero-day exploitation after the fact, even when real-time detection fails.

CISA Known Exploited Vulnerabilities (KEV) Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) maintains the Known Exploited Vulnerabilities (KEV) catalog, a curated list of vulnerabilities that have been confirmed as actively exploited in the wild. While many KEV entries are for older vulnerabilities, the catalog frequently adds recent zero-days as exploitation is confirmed.

The KEV catalog matters for several reasons. For U.S. federal agencies, Binding Operational Directive (BOD) 22-01 mandates remediation of KEV-listed vulnerabilities within specified timelines. For all organizations, the KEV catalog serves as a prioritized, evidence-based list of the vulnerabilities that pose the most immediate real-world risk. It cuts through the noise of thousands of annual CVEs by highlighting those that attackers are actually using.

Security teams should subscribe to KEV updates and automate the cross-referencing of KEV entries against their own vulnerability scan results. Several vulnerability management platforms now integrate KEV data natively, making it straightforward to flag exploited vulnerabilities for accelerated remediation.

Patch Management and Virtual Patching

Timely patching remains the most fundamental defense against exploited vulnerabilities, including those that were zero-days before a patch became available. The challenge is that patching at enterprise scale is complex: testing, scheduling maintenance windows, managing dependencies, and coordinating across distributed environments all introduce delay.

Prioritized Patching

Not all vulnerabilities can be patched immediately. Effective patch management requires prioritization based on exploitability, exposure, and business criticality. Inputs such as the CISA KEV catalog, vendor severity ratings, EPSS (Exploit Prediction Scoring System) scores, and threat intelligence about active exploitation campaigns help organizations focus their limited patching resources where they matter most.

Virtual Patching

When a vendor patch is not yet available or cannot be applied quickly, virtual patching provides an interim layer of protection. Web application firewalls (WAFs), intrusion prevention systems (IPS), and EDR tools can be configured with rules that block exploitation attempts targeting specific vulnerabilities. Virtual patching does not fix the underlying flaw, but it reduces the window of exposure while organizations work toward full remediation.

Emergency patching procedures — the ability to deploy a critical patch within hours rather than weeks — should be tested and documented in advance. When a high-severity zero-day is disclosed, the organizations that respond fastest are those that have already established streamlined patch deployment processes.

Staying Ahead with Threat Intelligence

Zero-day threats do not exist in isolation. They are tools used by specific actors with specific objectives — nation-states conducting espionage, criminal groups pursuing financial gain, commercial spyware vendors enabling surveillance. Understanding the threat landscape provides critical context for assessing zero-day risk and prioritizing defenses.

Threat intelligence helps organizations answer essential questions: Which threat actors are most likely to target our sector? What types of zero-days are they known to use? What TTPs do they employ beyond the initial exploit? Which of our assets are most likely to be targeted? This context transforms zero-day defense from a purely reactive exercise into a proactive, risk-informed strategy.

Key practices for intelligence-driven zero-day defense include:

1. Monitor vulnerability disclosures daily. Subscribe to vendor security advisories, CISA alerts, and curated intelligence sources that cover emerging zero-days and exploitation trends.
2. Track threat actor activity. Understand which groups are actively using zero-days and what sectors they target. Reports from Google TAG, Microsoft MSTIC, Mandiant, and Citizen Lab are essential reading.
3. Correlate intelligence with your attack surface. When a new zero-day is disclosed, quickly assess whether you run the affected software and what your exposure is.
4. Participate in information sharing communities. ISACs and other sharing groups provide early warning about exploitation activity that may not yet be public.
5. Build a daily intelligence habit. Staying current with the threat landscape is not optional for security professionals. Sources like CyberGeoDigest provide daily coverage of cyber threats with geopolitical context, helping security leaders understand not just what vulnerabilities are being exploited, but by whom and why.

The zero-day problem is not going away. Software complexity continues to grow, the economic incentives for exploit development remain strong, and the number of actors with the capability and motivation to use zero-days is increasing. But organizations that combine defense-in-depth, rigorous patch management, and continuous threat intelligence can significantly reduce their exposure — even to threats they have never seen before.

Stay informed about emerging zero-day threats and vulnerability exploitation trends. Browse our archive to see how CyberGeoDigest covers the intersection of cybersecurity and geopolitics every day.