The term “zero-day” gets thrown around a lot in cybersecurity news. Every few months a headline appears — “critical zero-day discovered in Windows,” “nation-state actors exploit zero-day in Cisco firewall” — and then disappears before most people understand what actually happened.

This post explains what zero-days actually are, how they get found and used, and why they represent one of the most difficult problems in the entire field of security.

The Basic Idea

A zero-day vulnerability is a security flaw in software that the vendor doesn’t know about yet. No patch exists. No fix is available. Anyone who discovers it before the vendor does can exploit it freely — because the defenders have zero days to prepare.

That’s where the name comes from. Zero days of warning. Zero days to patch before the attacks begin.

Normal vulnerabilities work differently. A researcher finds a flaw, reports it to the vendor responsibly, the vendor builds a fix, releases it, and users update their software. The window of danger is manageable. With a zero-day, that entire process hasn’t happened yet. The flaw exists in production software that millions of people are running right now, and only the attacker knows it’s there.

How Zero-Days Get Found

Software is written by humans and humans make mistakes. Modern applications contain millions of lines of code. A single logic error, a buffer that can be overflowed, a function that doesn’t validate input correctly — any of these can become a vulnerability.

Finding them takes one of three approaches.

Manual code review is the oldest method. A skilled researcher reads through source code or reverse-engineers compiled binaries looking for weaknesses. It’s slow, expensive, and requires deep expertise. It also finds things automated tools miss entirely.

Fuzzing is automated. You feed a program enormous quantities of malformed, random, or unexpected input and watch what happens. When the program crashes or behaves unexpectedly, you’ve found something worth investigating. Modern fuzzers are sophisticated enough to generate structured inputs that reach deep into application logic. Google’s Project Zero team uses fuzzing extensively — it’s how a significant portion of browser vulnerabilities get discovered.

Exploit chains are a different category. Sometimes a single vulnerability isn’t enough to achieve what an attacker wants. Two or three moderate weaknesses, chained together in sequence, can produce a full compromise. Around 90% of mobile device zero-day attacks in 2024 involved chains of multiple vulnerabilities rather than a single flaw.

Who Finds and Uses Them

This is where zero-days get complicated, because the people finding them and the people using them aren’t always who you’d expect.

Security researchers find zero-days and report them responsibly to vendors. This is called responsible disclosure. The vendor fixes the issue, credits the researcher, and everyone benefits. Many companies run bug bounty programmes specifically to incentivise this — Microsoft, Google, and Apple all pay significant sums for critical vulnerabilities reported through official channels.

Then there’s the commercial market. Companies like Zerodium actively purchase zero-day exploits from researchers and sell them to government agencies and law enforcement. A critical iPhone zero-day can fetch up to two million dollars on this market. The buyers are often intelligence agencies who want to maintain offensive capabilities.

Nation-state groups develop their own. China was responsible for nearly 30% of attributed government-backed zero-day exploitation in 2024 according to Google’s Threat Intelligence Group. Russian groups, North Korean groups, and others maintain dedicated teams whose job is finding vulnerabilities in software used by their targets — foreign governments, defence contractors, critical infrastructure.

Financially motivated criminals use zero-days too, though less frequently than state actors because the cost of acquiring them cuts into profit margins. When they do use them, the targets tend to be high-value: financial institutions, healthcare systems, large enterprises.

Real Examples Worth Understanding

Stuxnet — 2010

Still the most technically sophisticated zero-day attack ever publicly documented. Stuxnet used four separate Windows zero-days simultaneously — an unprecedented number — to target industrial control systems running Iranian nuclear centrifuges. It spread via USB drives, infected Windows machines silently, then looked specifically for Siemens SCADA software connected to centrifuge controllers. When it found what it was looking for, it caused the centrifuges to spin at destructive speeds while reporting normal operation to the monitoring systems.

It was a weapon disguised as software, built by a nation-state to cause physical damage without a single bomb. When it was eventually discovered and analysed, the security research community spent months working through it. Many still consider it the moment that demonstrated what nation-state cyber capabilities actually look like.

MOVEit — 2023

Progress Software’s MOVEit file transfer application had a SQL injection vulnerability that the Clop ransomware group found and weaponised before any patch existed. They exploited it at scale across thousands of organisations simultaneously — essentially a zero-day attack run as a mass campaign rather than a targeted operation.

The data stolen affected over 2,700 organisations including government agencies, universities, and major corporations. The total number of individuals whose data was compromised exceeded 90 million. All from a single SQL injection flaw that nobody at Progress Software knew about until it was already being exploited at scale.

Cisco ArcaneDoor — 2024

A campaign targeting Cisco network infrastructure — specifically the firewalls and VPN appliances that sit at the edge of corporate networks — using two zero-day vulnerabilities chained together. The attackers deployed backdoors named “Line Runner” and “Line Dancer” that gave them persistent access to network devices while evading detection.

The significance here is the target. Compromising a company’s firewall or VPN gateway means you’re inside the network before you’ve touched a single endpoint. Traditional security tools don’t see traffic that flows through a compromised network device the way they’d see traffic flowing across the network. The attacker sees everything. The defender sees nothing unusual.

This is part of a broader trend. In 2024, 44% of all zero-day exploitation targeted enterprise technologies — security appliances, VPNs, firewalls — rather than end-user software like browsers and operating systems. Attackers have figured out that compromising the security infrastructure itself is more valuable than compromising the machines behind it.

The Numbers Behind the Problem

Google’s Threat Intelligence Group tracked 75 zero-day vulnerabilities actively exploited in the wild in 2024. In 2025 that number rose to 90. The slow, steady increase has continued for years.

Microsoft was the most targeted vendor with 26 zero-days in 2024, followed by Google with 11 and Ivanti with 7. The Ivanti number is worth noting — Ivanti makes VPN and network access products used across thousands of enterprise environments. Seven zero-days in a single year from one enterprise security vendor is not a coincidence. It reflects deliberate, sustained research by adversaries who understand the value of compromising network edge devices.

The average time between a vulnerability being publicly disclosed and attackers having a working exploit has collapsed to five days. Monthly patch cycles — the standard approach most organisations use — leave a window of weeks where known, patchable vulnerabilities remain unpatched in production systems. Against zero-days, that window is irrelevant. Against disclosed vulnerabilities being weaponised in five days, monthly patching is genuinely dangerous.

Why They’re So Hard to Defend Against

The fundamental problem with zero-days is that your defences are built around known threats. Antivirus signatures, intrusion detection rules, firewall policies — all of these work by recognising patterns of known bad behaviour. A zero-day exploit, by definition, has never been seen before. There’s no signature to match. The traffic looks legitimate because nobody has written a rule to flag it yet.

This is why defence-in-depth matters. No single security control stops a sophisticated zero-day attack. What stops the damage from being catastrophic is what happens after initial access — whether the attacker can move laterally through the network, escalate privileges, access sensitive data, and maintain persistence. Each of those steps is an opportunity for detection, for containment, for response.

Network segmentation limits how far an attacker can move after initial compromise. Strong logging and monitoring creates visibility into behaviour that would otherwise go unnoticed. Endpoint detection tools that look at behaviour rather than signatures catch post-exploitation activity even when the initial exploit was unknown.

None of this prevents the zero-day from working. It limits the damage to what the attacker can reach before someone notices.

What This Means If You’re Learning Security

Zero-days occupy a specific and somewhat mythologised place in hacking culture. They’re real, they’re used, and understanding them matters — but they’re not the primary threat facing most organisations.

The vast majority of successful attacks use known vulnerabilities against unpatched systems, or use techniques that don’t require any vulnerability at all — phishing, credential stuffing, social engineering. The organisations that get compromised via zero-day are, in most cases, also failing at the basics.

Understanding zero-days teaches you how software fails at a fundamental level. Buffer overflows, type confusion errors, use-after-free vulnerabilities, integer overflows — these are the underlying classes of bugs that become zero-days when discovered before the vendor is aware of them. Study these classes. Understand how memory works, how parsers fail, how trust boundaries get violated.

That knowledge makes you better at finding vulnerabilities in software you’re authorised to test, better at understanding what attackers are doing when you’re doing incident response, and better at building software that doesn’t create these problems in the first place.

The zero-day is the most dramatic version of a vulnerability. But it’s built from the same material as everything else.