CVE 📅 Jul 3, 2026 ⏱ 9 min read 👶 Beginner friendly

What is a Zero-Day Vulnerability? Explained Simply

Imagine a burglar who finds a secret entrance to your building that your security team does not know exists yet. They can come and go freely while you have no idea. That is exactly what a zero-day vulnerability is — a security flaw that attackers know about, but the people who need to fix it do not.

Zero-days are the most feared category of vulnerability in cybersecurity. Understanding what they are, how they are used, and how to reduce your exposure is essential knowledge for anyone working in IT.

What is a zero-day vulnerability?

A zero-day vulnerability is a security flaw in software or hardware that:

In simple terms: a zero-day is a hole in your wall that you did not know was there. The attacker found it before you did and is already using it.

The three terms you will hear together are:

Why is it called zero-day?

The name comes from software development. When a developer discovers that their software has a flaw, they have a certain number of days to create and release a patch before attackers start exploiting it.

A zero-day means the vendor has had zero days to fix the problem. The vulnerability was found — and often weaponised — before the vendor even knew it existed. There is no patch to apply. Users are completely exposed.

Once a vendor publishes a patch, the vulnerability is no longer technically a zero-day. It becomes an N-day (N = number of days since the patch was released). The race is then on for users to apply the patch before attackers exploit unpatched systems.

How are zero-days discovered?

Zero-days are found by a variety of people, each with different motivations:

Key fact

In 2023, Google's Project Zero tracked 97 zero-days exploited in the wild — nearly double the number from 2020. Mobile operating systems (iOS and Android) and browsers (Chrome, Safari) are the most frequently targeted platforms.

The zero-day market

Zero-days are bought and sold for enormous sums. Zerodium's public price list (as of 2024) gives a sense of the market:

These prices reflect how much governments and threat actors value the ability to silently compromise devices with no warning to the target. The high prices also incentivise researchers to sell to brokers rather than disclose responsibly — a controversial tension in the security community.

Real-world zero-day examples

Stuxnet (2010) — the most famous zero-day attack in history

Stuxnet was a joint US-Israeli cyberweapon that targeted Iranian nuclear centrifuges. It exploited four separate zero-day vulnerabilities in Windows simultaneously — an unprecedented level of sophistication. It physically destroyed centrifuges by making them spin at the wrong speed while reporting normal status to operators. It was discovered years after it had been running, and its exposure revealed that nation-states were actively using zero-days as weapons of war.

CVE-2021-30860 — FORCEDENTRY (2021)

Developed by NSO Group and used to deploy their Pegasus spyware, FORCEDENTRY was a zero-click zero-day in Apple's iMessage — meaning it required absolutely no interaction from the victim. Simply receiving a message was enough to silently compromise an iPhone. It was discovered by Citizen Lab researchers on the device of a Saudi activist. Apple patched it in September 2021 within days of being notified.

Log4Shell pre-disclosure (December 2021)

CVE-2021-44228 — Log4Shell was a zero-day for the brief period between its discovery and its public disclosure on 9 December 2021. Within hours of going public, mass exploitation began. In the short zero-day window, some threat actors had already been using it quietly. This transition from zero-day to known vulnerability happened in real time, broadcast across the internet.

How to defend against zero-days

You cannot patch what does not have a patch yet. But you can reduce the blast radius:

  1. Patch everything else immediately — zero-days are rare; unpatched known vulnerabilities are common. Most breaches exploit N-days that had patches available for months. Patch aggressively.
  2. Network segmentation — if a zero-day compromises one system, segmentation limits the attacker's ability to move sideways to other systems.
  3. Principle of least privilege — run services with the minimum permissions needed. A zero-day in a low-privilege process causes far less damage than one in a process running as Administrator or root.
  4. Endpoint Detection and Response (EDR) — behaviour-based tools like CrowdStrike Falcon or Microsoft Defender for Endpoint detect malicious behaviour patterns even without knowing the specific exploit.
  5. Web Application Firewall (WAF) — can block exploit traffic patterns for web-facing applications, buying time until a patch arrives.
  6. Threat intelligence feeds — subscribe to CISA alerts, vendor security advisories, and threat intel platforms. Zero-days in the wild are often reported within hours of discovery.
  7. Attack surface reduction — disable features you do not use. Every unnecessary service, port, or feature is a potential zero-day waiting to be found.
Pro Tip

The CISA Known Exploited Vulnerabilities (KEV) catalog at cisa.gov/kev is the single most important resource for staying ahead of active exploits. When a zero-day transitions to a known exploited CVE, it appears here. Subscribe to their RSS feed or email alerts — it is free and invaluable.

Zero-day vs N-day vulnerabilities

Once a zero-day is disclosed and patched, it becomes an N-day vulnerability. N is the number of days since the patch was released. N-days are still dangerous because:

Research by Google's Project Zero found that attackers can produce a working exploit for a newly patched vulnerability in as little as 24–48 hours after a patch is released — a window sometimes called the patch gap. This is why "patch immediately" is not just good advice; it is a genuine race against the clock.

Frequently asked questions

Why is it called a zero-day?

The developer has had zero days to fix the problem before it can be exploited. The vulnerability exists, there is no patch, and attackers are already using it or could start at any moment.

How are zero-days discovered?

By security researchers, bug bounty hunters, nation-state intelligence agencies, and criminal hackers. Some are sold on legitimate markets for six or seven-figure sums; others are sold on dark web forums. Many are eventually found by researchers and disclosed responsibly to vendors.

Can antivirus stop a zero-day attack?

Traditional signature-based antivirus cannot — there is no known signature to detect. Modern EDR tools using behaviour-based detection are far more effective. Network monitoring, segmentation, and least-privilege configurations also reduce risk significantly.

How long does a zero-day stay secret?

It varies enormously. Some zero-days are used for years before discovery (Stuxnet ran undetected for several years). Others are found and disclosed within weeks. Nation-state zero-days tend to have the longest dwell times because the attackers are motivated to keep them secret.

Keep learning on ITVedas

Next: learn how to read a CVE report and extract the information that actually matters for your patching decisions.

Back to CVE Chapter →