What is a Zero-Day Vulnerability?

The Zero-Day Lifecycle

Understanding how zero-days move from discovery to exploitation to patch helps clarify the actual risk they represent and the defensive options available at each stage.

Discovery

Vulnerabilities are discovered through security research — both by ethical researchers and by threat actors. Ethical researchers who discover vulnerabilities typically follow responsible disclosure practices: notifying the vendor privately, allowing a defined period (typically 90 days) for patch development, and then publishing the vulnerability details publicly. This process creates the window during which a patch is developed and the vulnerability remains unpublished but known to the vendor.

Threat actors discover vulnerabilities through their own research or purchase them on vulnerability markets. Nation-state intelligence agencies maintain stockpiles of undisclosed vulnerabilities — zero-days — for use in offensive cyber operations. The NSA's EternalBlue exploit, which was eventually leaked and weaponized in WannaCry ransomware, was a zero-day developed and stockpiled by the NSA before disclosure. Criminal groups purchase zero-days from brokers who acquire them from independent researchers willing to sell to the highest bidder rather than disclose responsibly.

Exploitation

Once a zero-day is known to a threat actor, it can be weaponized into an exploit — code that reliably triggers the vulnerability to achieve a specific outcome: remote code execution, privilege escalation, authentication bypass, or information disclosure. The most dangerous zero-days enable remote code execution without authentication — an attacker can compromise a vulnerable system over the network without any user interaction or credentials.

Who Uses Zero-Days and Against Whom

Nation-State Actors

Nation-state intelligence and cyber warfare units are the primary users of sophisticated zero-day exploits against high-value targets. The development and acquisition cost of reliable zero-days against major platforms — Windows, iOS, enterprise networking equipment — runs from hundreds of thousands to millions of dollars per vulnerability. This economics means sophisticated zero-days are primarily used in targeted operations where the intelligence value or strategic impact justifies the cost. Organizations in defense, critical infrastructure, government contracting, and politically sensitive sectors face elevated zero-day risk from nation-state actors.

Criminal Groups

Criminal ransomware and espionage groups use zero-days when they can acquire them and when the target's security posture makes known-vulnerability exploitation ineffective. Most criminal attacks against mid-market organizations use known vulnerabilities — often vulnerabilities that have been patched for months or years but remain unpatched in the target environment. The investment in zero-day acquisition is unnecessary when patching discipline is poor. Criminal groups prioritize zero-days for initial access to environments where known vulnerabilities have been patched and where the potential ransom or data value justifies the exploit cost.

Vulnerability Brokers

A commercial market exists for zero-day vulnerabilities. Companies like Zerodium publicly advertise purchase prices for specific zero-days — $2.5 million for a full iOS chain with persistence, $2 million for Chrome or Safari remote code execution, $500,000 for Microsoft Exchange server-side exploitation. These prices reflect the operational value of the vulnerabilities to buyers, who include both government intelligence agencies and, in some cases, less scrupulous customers.

Defending Against Zero-Days When Patching Isn't Possible

Defense in Depth

The primary defensive framework against zero-days is defense in depth — the principle that no single control is relied upon exclusively, and that multiple independent security layers ensure that compromise of one layer does not result in complete attacker success. An attacker who exploits a zero-day in a perimeter application gains access to that system. If network segmentation limits lateral movement from that system, if least-privilege access controls limit what credentials are accessible from that system, if endpoint detection identifies the post-exploitation behavior that follows initial access, and if monitoring detects the anomalous activity — the zero-day exploitation becomes a contained incident rather than a breach.

Behavioral Detection

Zero-days by definition cannot be detected by signature-based controls — there is no known signature for an unknown vulnerability exploit. Behavioral detection — identifying anomalous activity patterns that indicate exploitation regardless of the specific technique — is the primary detection mechanism. An endpoint that begins spawning unexpected child processes from a web server, establishing outbound connections to unusual destinations, or accessing credential stores unexpectedly exhibits behavioral patterns consistent with post-exploitation activity, regardless of how initial access was achieved.

Attack Surface Reduction

Every system exposed to potential attackers — externally or internally — represents potential zero-day exposure. Reducing the attack surface by disabling unnecessary services, restricting internet-facing systems to the minimum required functionality, and implementing strict egress filtering reduces the value of zero-day exploitation even when it cannot be prevented.

Real-World Example: EternalBlue — The NSA Zero-Day That Became WannaCry

EternalBlue is a zero-day exploit developed by the NSA targeting a vulnerability in Windows SMB protocol. The NSA used it operationally for years before a group called The Shadow Brokers leaked the exploit publicly in April 2017. Microsoft had issued a patch — MS17-010 — in March 2017 after being tipped off about the upcoming leak. One month after the patch, WannaCry ransomware — attributed to North Korea's Lazarus Group — weaponized EternalBlue and spread to an estimated 230,000 systems in 150 countries in a single day, exploiting the systems that had not applied the one-month-old patch. The NHS in the UK was severely disrupted. FedEx subsidiary TNT Express suffered $400 million in damages. The zero-day itself had been addressed. The patch gap — the period between patch availability and patch application — was the attack surface.