What Is a Zero-Day?
A zero-day is a vulnerability in a piece of hardware or software that was previously unknown to the vendor, meaning they have had “zero days” to mitigate or remediate the vulnerability. They won’t even have a CVE assigned to the vulnerability to begin with, let alone have a patch ready to deploy.
Since no patch for the vulnerability exists, any cybercriminal who exploits the zero-day is likely to succeed. In fact, by the time the world has become aware of a zero-day vulnerability, it is already being exploited in the wild.
Key Takeaways
- Zero‑day exploits occur when attackers leverage these unknown vulnerabilities to gain unauthorized access, often successfully, because no mitigation is yet available.
- A zero‑day exploit becomes a zero‑day attack when the intruder uses that access to deploy malware, steal data, or cause disruption.
- Zero‑days are frequently paired with other attack methods, such as social engineering, remote desktop attacks, or chaining additional vulnerabilities, to maximize impact.
What Is a Zero-Day Exploit?
A zero‑day exploit occurs when attackers leverage a vulnerability that no one has patched yet, and this type of attack is happening more often than ever.
Zero‑day exploits continue to pose a serious threat. In fact, researchers observed 75 zero‑day vulnerabilities actively exploited in the wild in 2024, a level that remains significantly higher than anything seen before 2021. This elevated activity shows that zero‑days are no longer rare events — they’ve become a persistent part of the modern threat landscape.
What Is the Difference Between a Zero-Day Exploit and a Zero-Day Attack?
In a zero-day exploit, cybercriminals use a previously unknown vulnerability to gain access to a system. If, once inside, they use that access to launch malware or ransomware, to steal data, or to otherwise cause damage and chaos, that is a zero-day attack.
How Does a Zero-Day Exploit Work?
Whenever hardware or software is released or updated, there is a possibility that it is hiding an unknown vulnerability. If a cybercriminal spots the vulnerability before the developers do, they can write an exploit code to take advantage.
But an exploit code is harmless without a way to access the software or system. Cybercriminals need to pair their exploit code with another form of attack like social engineering or a remote desktop protocol attack. Often, one zero-day will be paired with another zero-day or existing vulnerability, combining to make a much more powerful, dangerous, and damaging attack. Once inside the target, the exploit code gets to work, unleashing a malicious payload or pilfering personal information.
Zero-days are most often discovered by nation-state hackers and are used by their governments to further their espionage and cyber warfare efforts.
When non-government cybercriminals discover zero-day vulnerabilities, however, they often find it more lucrative to simply sell their exploit code on the dark web, allowing other attackers to use their tool to breach as many systems as possible before developers discover the vulnerability and provide a patch to mitigate it. Zero-days can mean paydays for those involved with Ransomware-as-a-service (RaaS) or initial access brokers.
Once a mitigation is available, however, systems can remain vulnerable if organizations are slow to apply the recommended patches or software updates, meaning zero-day vulnerabilities can remain dangerous for a long time.
What Are Some Examples of a Zero-Day Exploit?
Log4Shell Vulnerability
Log4Shell Vulnerability started as a zero-day vulnerability, and Apache acted on it as soon as it was disclosed by the security researchers. This critical exploit for a remote code execution vulnerability in Log4j library, a Java logging library used in a significant number of internet applications, sent businesses worldwide scrambling to identify and mitigate the impact of the exploit, while security pros and experts released patches and scanning tools, and guided organizations on how to best protect themselves from attack.
Kaseya
A major cybersecurity incident in 2021 occurred over the Fourth of July weekend, when Florida‑based software provider Kaseya was hit with a widespread ransomware attack. The REvil group leveraged zero‑day vulnerabilities in Kaseya’s remote management tools, triggering a supply‑chain compromise that affected organizations across five continents. The attack forced the shutdown of public schools in New Zealand, temporarily closed a major grocery chain in Sweden, and disrupted operations for hundreds of businesses throughout the United States.
SolarWinds
In one of the most catastrophic data breaches during all of 2020, foreign intelligence operatives took advantage of a compromised SolarWinds program through a zero-day vulnerability, invading an estimated 18,000 private and government-affiliated networks. These data breaches granted attackers access to an abundance of identifiable information, including financial information, source code, passwords, and usernames.
Sony Pictures
In 2014 hackers exploited a previously undisclosed vulnerability during a spear-phishing email campaign to unleash a devastating attack on Sony Picture Entertainment’s computer network. The attack crippled the network while releasing the personal emails of top executives, business information, and even copies of unreleased films.
Stuxnet
Arguably the most infamous zero-day attack, the Stuxnet worm exploited four zero-day vulnerabilities and is believed to be responsible for destroying centrifuges in Iran and drastically slowing their nuclear ambitions.
How Do You Protect Against Zero-Day Exploits?
Zero-day vulnerabilities present a major challenge for cybersecurity teams, as their existence often isn’t known until they are being actively exploited by cybercriminals. However, developing a robust and proactive security posture can go a long way toward protecting your business against zero-day exploits, and minimizing the damage they can do to your organization. Here are our best-practice recommendations:
Determine if You’re Vulnerable
You can’t protect what you can’t see. That’s why the crucial first step in protecting your organization against zero-day exploits is to ensure you have total visibility into your network, endpoints, and environments in order to determine if you are vulnerable to a zero-day once it becomes known.
Monitor and Detect Attacks
You can’t patch an unknown flaw, but you can spot and contain zero‑day–driven activity by instrumenting endpoints, identities, and networks for behavior‑based detection and centralized telemetry (e.g., EDR/XDR + SIEM). Modern guidance emphasizes continuous monitoring and enterprise‑level visibility across on‑premises and cloud resources to surface anomalies, lateral movement, and privilege abuse quickly. These capabilities can be delivered by in‑house teams or managed providers; what matters is 24×7 detection and rapid response, not a particular staffing model.
Mitigate and Recover
When a zero‑day is disclosed or suspected, follow a documented patch and mitigation process: apply vendor fixes when available, use temporary configuration/workaround controls when they’re not, and verify deployments. Align this with an enterprise patch program (NIST SP 800‑40) and use CISA’s KEV catalog to prioritize remediation for vulnerabilities known to be actively exploited. For resilience, maintain tested, immutable/offline backups (e.g., 3‑2‑1) and a NIST‑aligned incident response plan (SP 800‑61) so the organization can contain, eradicate, and recover even if systems are compromised. These capabilities may be provided by internal staff, retainer‑based IR partners, or an MSSP/MDR—what’s essential is that the processes and outcomes meet best‑practice standards.
How Arctic Wolf Can Help
Arctic Wolf® Managed Risk enables you to discover, assess, and harden your environment against digital risks like zero-days by contextualizing your attack surface coverage across your networks, endpoints, and cloud environments. We provide you with 24×7 continuous monitoring, and work with you to prioritize the remediation of any vulnerabilities discovered.
Arctic Wolf® Managed Detection and Response (MDR) solution provides 24×7 monitoring of your networks, endpoints, and cloud environments to help you detect, respond, and recover from modern cyber attacks like zero-day exploits.
