How Zero-Day Exploits Work

What Is a Zero-Day Exploit?

A zero-day exploit is a cyberattack that targets a previously unknown vulnerability in software, hardware, or firmware — a flaw that the vendor or developer has had "zero days" to address because they are unaware of its existence at the time of exploitation. Zero-day vulnerabilities represent some of the most dangerous threats in cybersecurity because no patch or fix exists when the attack occurs, leaving affected systems exposed until the vendor can develop, test, and distribute a security update.

Zero-day exploits are prized by attackers, intelligence agencies, and cybercriminals alike because they are effective against even well-maintained, fully patched systems. The discovery, trade, and use of zero-day vulnerabilities have created a complex ecosystem involving researchers, governments, brokers, and criminal organizations.

Key Terminology

Understanding zero-day exploits requires distinguishing between related but distinct concepts:

Zero-day vulnerability: A software flaw unknown to the vendor; it exists in the code but has not been discovered (or at least not disclosed)
Zero-day exploit: Code or a technique that leverages the zero-day vulnerability to compromise a system
Zero-day attack: The actual use of a zero-day exploit against a real target
N-day vulnerability: A known vulnerability for which a patch exists but has not been universally applied; many attacks exploit N-day (not zero-day) vulnerabilities

How Zero-Day Vulnerabilities Arise

Software vulnerabilities are introduced during the development process due to the inherent complexity of modern code. Common vulnerability types that become zero-days include:

Vulnerability Type	Description	Example Zero-Day
Buffer overflow	Writing data beyond the boundaries of allocated memory, allowing code execution	EternalBlue (MS17-010) — exploited by WannaCry ransomware
Use-after-free	Accessing memory after it has been freed, leading to unpredictable behavior or code execution	Multiple Chrome browser zero-days
SQL injection	Injecting malicious SQL code through user input to manipulate databases	MOVEit Transfer vulnerability (CVE-2023-34362)
Privilege escalation	Exploiting a flaw to gain higher-level permissions than intended	PrintNightmare (CVE-2021-34527)
Logic errors	Flaws in the program's logic that allow unintended behavior	Log4Shell (CVE-2021-44228) — arbitrary code execution via Log4j logging
Race conditions	Exploiting timing gaps in concurrent operations	Dirty COW (CVE-2016-5195) — Linux kernel privilege escalation

The Zero-Day Lifecycle

A zero-day vulnerability passes through several phases from introduction to resolution:

Introduction: The vulnerability is inadvertently introduced during software development
Discovery: A researcher, attacker, or intelligence agency discovers the vulnerability
Weaponization: An exploit is developed that reliably triggers the vulnerability to achieve a specific outcome (code execution, data exfiltration, privilege escalation)
Deployment: The exploit is used in attacks against targets
Detection: Security researchers or defenders discover the exploit through anomaly detection, threat intelligence, or incident response
Disclosure: The vulnerability is reported to the vendor (responsible disclosure) or made public
Patch development: The vendor develops and tests a security update
Patch deployment: The fix is distributed to users; the vulnerability becomes an N-day that remains dangerous until all affected systems are updated

The Zero-Day Market

Zero-day exploits have significant monetary value, and a complex market has developed around their discovery and sale:

Market Segments

Market	Buyers	Price Range	Characteristics
White market	Vendors (via bug bounty programs)	$500–$250,000+	Legal; researcher reports vulnerability to vendor for reward
Gray market	Government agencies, defense contractors	$100,000–$2,500,000+	Legal in most jurisdictions; used for intelligence and defense
Black market	Cybercriminals, hostile nation-states	$10,000–$2,000,000+	Illegal; used for financial crime, espionage, sabotage

Companies like Zerodium and Crowdfense publicly advertise bounties for zero-day exploits, with payouts reaching up to $2.5 million for a full chain iPhone exploit. Government intelligence agencies are among the largest consumers of zero-day exploits, purchasing them for offensive cyber operations and surveillance.

Notable Zero-Day Attacks

Several zero-day attacks have had significant geopolitical, economic, or technological impact:

Stuxnet (discovered 2010): A sophisticated worm widely attributed to the United States and Israel that used four zero-day exploits to sabotage Iran's nuclear enrichment centrifuges. It is considered the first known cyberweapon designed to cause physical damage to infrastructure
EternalBlue (leaked 2017): An NSA-developed exploit targeting a Windows SMB vulnerability. After being leaked by the Shadow Brokers group, it powered the WannaCry ransomware attack that infected over 200,000 systems across 150 countries, causing billions in damages
Log4Shell (December 2021): A critical vulnerability in the Apache Log4j logging library (CVE-2021-44228) that allowed remote code execution. Due to Log4j's ubiquitous use in Java applications, billions of devices were potentially affected. It was described as one of the most serious vulnerabilities ever discovered
Pegasus spyware (ongoing): Developed by Israeli company NSO Group, Pegasus has used numerous iOS and Android zero-day exploits to silently compromise smartphones of journalists, activists, and political figures worldwide
MOVEit Transfer (2023): A SQL injection zero-day in the MOVEit file transfer software exploited by the Cl0p ransomware group, affecting over 2,500 organizations and compromising data of approximately 90 million individuals

Defense Strategies

While zero-day exploits cannot be prevented by traditional signature-based defenses (since no signature exists until after discovery), multiple strategies can reduce exposure and limit impact:

Proactive Measures

Attack surface reduction: Minimizing the amount of software, services, and network exposure reduces the number of potential vulnerabilities
Least privilege: Running applications with minimal permissions limits the damage an exploit can cause
Network segmentation: Isolating critical systems prevents lateral movement after initial compromise
Application sandboxing: Running untrusted code in isolated environments (browser sandboxes, application containers) contains exploits
Memory safety: Migrating code to memory-safe languages (Rust, Go) eliminates entire classes of vulnerabilities (buffer overflows, use-after-free)

Detection and Response

Behavioral analysis: Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) tools monitor for anomalous behavior rather than known signatures
Threat intelligence: Sharing indicators of compromise (IOCs) across organizations enables faster detection of zero-day campaigns
Patch management: While patches for zero-days do not exist at the time of attack, rapid patch deployment once available is critical — many of the worst impacts from zero-days occur because organizations delay applying patches even after they become available
Bug bounty programs: Incentivizing responsible disclosure by paying security researchers to find and report vulnerabilities before attackers discover them
Incident response planning: Having practiced response procedures ensures organizations can contain and recover from zero-day attacks quickly when they occur

The ongoing arms race between attackers who discover and exploit vulnerabilities and defenders who work to detect, patch, and mitigate them shows no signs of slowing. As software systems grow more complex and interconnected, zero-day vulnerabilities will continue to be among the most significant challenges in cybersecurity.