Zero-Day
A zero-day (or 0-day) is a security vulnerability for which no patch from the vendor exists at the time of discovery or exploitation—defenders have zero days to respond.
The term zero-day refers both to the unknown vulnerability itself and to the exploit based on it (zero-day exploit). The name derives from the fact that the software vendor had "zero days" to patch the vulnerability before it was exploited.
Life Cycle of a Zero-Day
- Discovery: By independent researchers, state actors, or criminals
- Vulnerability brokers: Zero-days are sometimes traded for hundreds of thousands to millions of dollars (Zerodium, government buyers)
- Exploitation: Often used covertly for months before discovery becomes imminent
- Disclosure: Responsible Disclosure (coordinated with the vendor) or Full Disclosure (public)
- Patch: Vendor releases a fix
- CVE Assignment: Official entry in the CVE database
Zero-Days in Context
State-sponsored cyberattacks: The most well-known zero-day attacks were carried out by state-sponsored actors:
- Stuxnet (2010): Used four zero-days against Iranian uranium enrichment facilities
- WannaCry (2017): Based on EternalBlue, an NSA zero-day exploit leaked by the Shadow Brokers
APT groups treat zero-days as strategic resources that they deploy specifically against high-value targets.
What companies can do
Since zero-days are, by definition, unknown, traditional patching strategies offer no protection. Effective countermeasures:
- Defense-in-Depth: Multiple layers of security prevent a single zero-day from leading to a complete compromise
- EDR/XDR: Behavior-based detection instead of signature-based
- Network segmentation: Limits propagation after initial access
- Least Privilege: Minimal privileges limit the potential for damage
