Zero-day exploit

A zero-day exploit is an attack that takes advantage of a software vulnerability that is unknown to the vendor and for which no official patch or mitigation is yet available. Attackers who discover such flaws can weaponize them immediately, giving defenders "zero days" to prepare, test, or deploy fixes. Because the vulnerability is not publicly documented and signatures do not exist, detection is difficult and traditional signature-based defenses often fail to stop initial exploitation.
Organizations facing a zero-day must rely on detection heuristics, behavior-based monitoring, isolation, and rapid incident response practices while waiting for vendor patches or mitigations. Threat actors use zero-day exploits for data theft, privilege escalation, supply-chain attacks, targeted espionage, ransomware deployment, and establishing persistent footholds. The high impact and scarcity of reliable fixes make zero-day exploits among the most dangerous vectors in cyber risk management, requiring coordinated technical, operational, and vendor engagement to reduce exposure and recover safely.
Advanced
Zero-day exploitation frequently combines exploit chaining, obfuscation, and in-memory payloads to avoid detection. Attackers may weaponize memory-corruption bugs, logic flaws, or privileged-path vulnerabilities and deliver them via phishing, watering-hole sites, supply-chain updates, or direct network access.
Defensive techniques include exploit mitigation features (ASLR, DEP), endpoint detection and response (EDR) telemetry, sandboxing, virtual patching via network controls, and threat intelligence sharing. Rapid coordinated disclosure and patch deployment cycles—plus compensating controls—are critical to contain exploitation until an official patch is released.
Relevance
Applications
Metrics
Issues
Example
A software vendor discovered an in-production exploit used by attackers to run arbitrary code via a privileged service. Customers with slower patching cycles saw attacker lateral movement and data exfiltration. Organizations that had implemented EDR, network segmentation, and emergency isolation playbooks detected unusual process behavior early, contained the attack to a subset of hosts, and applied vendor patches within 48 hours, substantially reducing overall impact.