What Is a Zero-Day Exploit?
On May 27, 2023, the Cl0p ransomware crew started pulling data out of corporate file-transfer servers running Progress MOVEit Transfer. They were abusing CVE-2023-34362, a SQL injection flaw nobody outside the attackers knew existed. Progress did not publish an advisory until May 31. By then the theft was already running at scale. There was no patch to apply, no signature to block, and no CVE to look up. The vendor had zero days of warning, and so did every defender.
That is a zero-day exploit. The defender is not slow this time. The defender is blind.
This is the hardest class of attack to stop because the usual playbook depends on knowing the flaw exists. You cannot patch what the vendor has not fixed. You cannot block a signature that has not been written. According to the Google Threat Intelligence Group, attackers exploited 75 zero-day vulnerabilities in the wild during 2024, and more than 60% of the enterprise ones hit security and networking products like firewalls and VPNs, the exact gear meant to keep attackers out.
This article covers what a zero-day exploit is, how it differs from the vulnerability and the attack, how the exploitation chain runs, the breaches that defined the category, and what a blue team actually does when there is no patch.
What Is a Zero-Day Exploit?
A zero-day exploit is the code or technique an attacker uses to take advantage of a software flaw that the vendor does not yet know about or has not yet patched. The name comes from the vendor's position: they have had zero days to fix the problem before it is used against real targets.
Three terms get used interchangeably, and the distinction matters for how you respond:
- Zero-day vulnerability: the underlying flaw itself, unknown to the vendor and with no fix available. It is a defect sitting in shipped code.
- Zero-day exploit: the working method that abuses that flaw to do something useful for the attacker, such as remote code execution or an authentication bypass.
- Zero-day attack: the real-world incident where the exploit is deployed against a target before a patch exists. NIST defines this as an attack that exploits a previously unknown hardware, firmware, or software vulnerability.
The flaw is the hole. The exploit is the tool that fits the hole. The attack is someone using the tool on you. A vulnerability can sit dormant for years; it only becomes a zero-day attack the moment someone weaponizes it while the vendor is still in the dark.
Once the vendor learns of the flaw and ships a fix, the clock changes. The flaw is no longer a zero-day. It becomes an n-day, a known and patched vulnerability where the only thing standing between attacker and target is whether the defender has applied the update. Most mass exploitation actually happens in the n-day phase, after disclosure, because patching at scale is slow. The MOVEit flaw was a zero-day for a few days and an n-day for months, and the n-day window is where most victims were hit.
Why Zero-Day Exploits Are So Dangerous
With an ordinary vulnerability, the defender and attacker get the disclosure at the same time, and it becomes a race to patch. With a zero-day, the attacker has been running unopposed before the race even starts.
There is no patch and no signature
Every standard control assumes prior knowledge. Antivirus needs a signature. A vulnerability scanner needs a CVE in its database. A patch program needs a vendor fix to deploy. A zero-day has none of these on day zero, so the controls that catch known threats are simply not in the game yet. Detection has to fall back on behavior, not on identity.
Exploitation now beats the patch
Mandiant's tracking of how fast attackers weaponize flaws found that the average time-to-exploit collapsed from 63 days in 2018 to the point where, for the most-targeted flaws, exploitation often precedes the patch entirely. When the exploit ships before the fix, the disclosure-to-patch window that defenders rely on no longer exists.
The high end is state-grade
Finding and weaponizing a reliable zero-day is expensive, so the people doing it tend to be well-resourced. Of the 2024 zero-days the Google Threat Intelligence Group could attribute, espionage actors, meaning government-backed groups and commercial surveillance vendors, accounted for just over half. China-nexus and North Korean groups tied for the most government-backed activity. These are not opportunists. They are patient, targeted, and built to stay quiet.
Attackers aim at the security stack itself
The 2024 data showed a deliberate shift toward edge and security products: 20 of the 33 enterprise zero-days targeted security and networking gear such as firewalls, VPN appliances, and other internet-facing infrastructure. These devices are reachable from the internet, often run opaque vendor firmware, are hard to take offline, and frequently sit outside normal endpoint monitoring. Compromise one and you are past the perimeter with little to stop you.
How a Zero-Day Exploit Works
The path from undisclosed flaw to full intrusion runs in five stages. The defining feature is that the first stages happen while the vendor and defender know nothing.
- Discovery: a researcher, broker, or attacker finds a flaw the vendor does not know about. It might be sold on a gray market, hoarded by an intelligence agency, or developed in-house by a crew.
- Weaponization: the flaw is turned into a reliable exploit, often paired with a payload such as a web shell, implant, or ransomware loader.
- Exploitation: the exploit is launched against live targets. This is initial access, and it succeeds because no patch and no signature exist to stop it.
- Post-exploitation: from that foothold the attacker establishes persistence, escalates privilege, and moves toward higher-value systems. A reliable endpoint detection and response tool can catch this stage on behavior alone, even when the initial exploit was invisible.
- Disclosure and n-day decay: eventually the activity is detected, the vendor is notified, and a patch ships. The flaw becomes an n-day. Exploitation usually surges here as other attackers reverse the patch and target everyone who has not updated.
Stage 3 is the one defenders cannot prevent with patching, because the patch does not exist. Everything from stage 4 onward is where behavioral detection earns its keep. A zero-day buys an attacker the front door, but the rest of the intrusion still generates noise a tuned detection program can hear.
Notable Zero-Day Attacks
These are the cases that defined the category. Each used a flaw with no patch available at the time of attack.
| Attack | CVE / flaw | Year | What made it a zero-day |
|---|---|---|---|
| Stuxnet | CVE-2010-2568 plus three more Windows flaws | 2010 | Weaponized four Windows zero-days at once to reach air-gapped industrial systems |
| Log4Shell | CVE-2021-44228 (Apache Log4j2) | 2021 | RCE in a ubiquitous logging library, exploited in the wild around disclosure before most could patch |
| MOVEit Transfer | CVE-2023-34362 | 2023 | SQL injection zero-day mass-exploited by Cl0p for data theft before the vendor advisory |
| Ivanti Connect Secure | CVE-2025-22457 | 2025 | Buffer overflow in a VPN appliance, exploited by a suspected China-nexus group before a fix |
The pattern across all four: the attacker moved first, and the defender's window to react opened only after the damage was underway. Stuxnet used four zero-days in a single operation, which signaled state-level resourcing long before that was the norm. MOVEit showed how one file-transfer flaw could turn into thousands of victims through a single well-prepared crew. The Ivanti case is the current shape of the threat, an edge appliance compromised by an espionage actor before anyone had a patch.
How to Defend Against Zero-Day Exploits
You cannot patch a flaw nobody has fixed yet. So zero-day defense is not about the flaw. It is about catching the behavior the exploit produces and shrinking the blast radius when one lands.
Detect on behavior, not signatures
This is the core move. Behavior-based detection through EDR and XDR watches what processes actually do, not whether they match a known-bad hash. An exploited service spawning a shell, a VPN appliance writing a web shell to disk, a sudden burst of outbound data: these are visible regardless of whether the initial flaw was known. Behavioral and anomaly detection is the one control that works on day zero.
Segment the network
A zero-day gives an attacker a foothold. Network segmentation decides whether that foothold becomes a breach. If the compromised host cannot reach the crown jewels, the exploit bought the attacker far less. Segmentation does not prevent the initial access, but it caps what the access is worth.
Virtual patch the exposure
When no vendor patch exists, a web application firewall or intrusion prevention system can sometimes block the exploit pattern at the network layer. This virtual patching does not fix the flaw, but it can buy time on internet-facing systems until a real fix arrives. It is a bridge, not a cure.
Feed threat intelligence into detection
The window between first exploitation and vendor disclosure is exactly what threat intelligence shortens. Indicators from early victims, vendor advisories, and the CISA Known Exploited Vulnerabilities catalog turn an unknown into something you can hunt for. The KEV catalog only lists flaws with confirmed active exploitation, which makes it the priority queue once a zero-day becomes an n-day.
Patch fast when the fix lands
The zero-day phase is short. The n-day phase is where most victims are hit, because exploitation surges after disclosure while organizations patch slowly. Strong patch management closes that window, and a mature vulnerability management program makes sure the formerly-zero-day flaw does not sit unpatched for the months that follow. Speed in the n-day phase is the difference between a near miss and a breach.
Frequently Asked Questions
What is a zero-day exploit?
A zero-day exploit is the code or technique an attacker uses to abuse a software flaw that the vendor does not yet know about or has not yet patched. Because no fix exists, standard defenses that rely on signatures or patches cannot stop it on the day it is used.
What is the difference between a zero-day vulnerability and a zero-day exploit?
The vulnerability is the underlying flaw in the software that the vendor is unaware of. The exploit is the working method that takes advantage of that flaw to do something malicious, such as run code or bypass authentication. The vulnerability is the hole; the exploit is the tool that fits it.
Why are zero-day exploits so dangerous?
Because there is no patch and no signature available when the attack happens, so the controls that catch known threats are not yet in play. Zero-days are also expensive to develop, so they are often used by well-resourced state-backed and espionage actors against high-value targets.
Can you defend against an attack with no patch?
Yes, but not by patching. Behavior-based detection through EDR and XDR can catch what an exploit does after it lands, even when the flaw itself is unknown. Network segmentation, virtual patching at a firewall or IPS, and threat intelligence further limit and shorten the exposure.
What does n-day mean compared to zero-day?
A zero-day is a flaw the vendor does not know about and has not patched. Once the vendor learns of it and ships a fix, it becomes an n-day, a known and patched vulnerability. Most mass exploitation happens in the n-day phase, because many organizations are slow to apply the patch after disclosure.
How many zero-day exploits happen each year?
The Google Threat Intelligence Group tracked 75 zero-day vulnerabilities exploited in the wild in 2024. More than 60% of the enterprise-focused ones targeted security and networking products such as firewalls and VPN appliances, and just over half of the attributed activity came from espionage actors.
Frequently asked questions
A zero-day exploit is the code or technique an attacker uses to abuse a software flaw that the vendor does not yet know about or has not yet patched. Because no fix exists, standard defenses that rely on signatures or patches cannot stop it on the day it is used.
The vulnerability is the underlying flaw in the software that the vendor is unaware of. The exploit is the working method that takes advantage of that flaw to do something malicious, such as run code or bypass authentication. The vulnerability is the hole; the exploit is the tool that fits it.
Because there is no patch and no signature available when the attack happens, so the controls that catch known threats are not yet in play. Zero-days are also expensive to develop, so they are often used by well-resourced state-backed and espionage actors against high-value targets.
Yes, but not by patching. Behavior-based detection through EDR and XDR can catch what an exploit does after it lands, even when the flaw itself is unknown. Network segmentation, virtual patching at a firewall or IPS, and threat intelligence further limit and shorten the exposure.
A zero-day is a flaw the vendor does not know about and has not patched. Once the vendor learns of it and ships a fix, it becomes an n-day, a known and patched vulnerability. Most mass exploitation happens in the n-day phase, because many organizations are slow to apply the patch after disclosure.
The Google Threat Intelligence Group tracked 75 zero-day vulnerabilities exploited in the wild in 2024. More than 60% of the enterprise-focused ones targeted security and networking products such as firewalls and VPN appliances, and just over half of the attributed activity came from espionage actors.