What is a zero-day exploit?
A zero-day exploit is a method or piece of code used by threat actors to take advantage of a previously unknown or unpatched vulnerability in software, hardware, or firmware.
Key takeaways
- Zero-day exploits target undisclosed vulnerabilities before developers have time to create and implement security patches.
- These exploits pose significant threats, including reputational damage, financial losses, and compliance violations.
- 0-day exploit prevention requires a multi-layered security approach, including Zero Trust architecture, regular patching, and advanced threat detection.
- Attacks can impact a range of entities, from individuals to large corporations and government agencies, with access to sensitive data and critical infrastructure.
- Notable examples include the Stuxnet worm (2010), Microsoft Exchange Server vulnerabilities (2021), and recent exploits affecting Chrome and Apple WebKit.
How do zero-day exploits work?
The term “zero-day” comes from the software piracy scene in the days of digital bulletin boards (BBSs), which referred to cracked software released on the same day as the legitimate version. Therefore, the original software was protected for “zero days.”
Today, a zero-day exploit refers to using an undisclosed vulnerability in released hardware, firmware, or software exploited by attackers before developers become aware of or can address the defect.
Zero-day exploits occur when programmers unknowingly introduce a vulnerability during development, which gets missed during testing, and vendors release it to the public. If security teams fail to detect the flaw, attackers can exploit it before developers can respond and distribute a patch.
The zero-day lifecycle
-
Discovery
A hacker discovers a vulnerability in software, hardware, or firmware
-
Exploit development
The hacker uncovers and develops a method to exploit the vulnerability
-
Attack execution
Attackers begin targeting systems using the vulnerability
-
Silent exploitation
The targeted vendor remains unaware as zero-day exploit attacks continue
-
Vulnerability management and identification
The vendor eventually identifies the vulnerability
-
Patch development
Developers create and release a security patch
-
Patch implementation
The vendor implements the security patch to protect systems
Common targets for zero-day exploits:
- Operating systems: Core software that can provide attackers with system-wide access, affecting all data and applications
- Web browsers: When exploited, browsers like Chrome, Safari, and Firefox can compromise users when they visit malicious websites
- Enterprise software: Organization-wide business applications can provide data access and entry to corporate networks
- IoT devices: These connected devices often have limited security controls, allowing attackers to compromise home networks, industrial sensors, or medical devices
- Mobile devices: Vulnerabilities in mobile operating systems or apps on smartphones and tablets can expose sensitive data, enable surveillance, or serve as network entry points
- Cloud services: Remotely hosted computing services can lead to multi-tenant attacks and potentially compromise massive datasets
- Network protocols: Vulnerabilities in rules that govern data transmission between devices (e.g., DNS, TCP/IP, or SSL/TLS) can enable traffic interception, redirection, and man-in-the-middle attacks
Typical zero-day attack methods:
- Code execution: Running malicious code or unauthorized commands on a target system to take control of applications or operating systems
- Privilege escalation: Gaining higher-level privileges than appropriate to access restricted data, install malware, or perform administrative actions
- Data exfiltration: Extracting confidential data from compromised systems, including credentials, intellectual property, or personal information, without detection
- Malware delivery: Installing malicious software on target systems to establish persistent access on compromised devices, create backdoors, deploy ransomware, or establish command-and-control infrastructure
Related zero-day terminology:
- Zero-day: “Zero-day” or “0day” is the term used to describe that developers have no time to prepare and patch vulnerabilities
- Zero-day vulnerability: An unknown or unaddressed flaw that exists in released software or hardware
- Zero-day threat: Another term for zero-day vulnerability
- Zero-day attack: A malicious attempt to leverage a zero-day exploit before vendors can develop patches
- Zero-day malware: A virus explicitly designed to take advantage of zero-day exploits that are not yet detectable by antivirus software or other threat detection systems
Zero-day examples
- Stuxnet worm: (2010) A malicious computer worm that targets supervisory control and data acquisition (SCADA) systems, reported to be responsible for multiple zero-days targeting Iranian nuclear facilities.
- The Microsoft Exchange Server vulnerabilities: (2021) These critical exploits enabled remote code execution, which Hafnium exploited, compromising over 250,000 servers through malicious web shells and backdoors
- Chrome zero-day CVE-2023-4863: (2023) A heap buffer overflow vulnerability actively exploited in the wild
- Apple WebKit zero-day: (2024) Allowed attackers to execute malicious code on iPhones and Macs
Why are zero-day exploits a significant threat?
There’s much at stake when malicious actors discover vulnerabilities ahead of security analysts and researchers. While not always as dramatic as examples in blockbuster movies where entire cities go dark due to zero-day infrastructure exploits, their impact is substantial.
A surprise to vendors and manufacturers, these integrated weaknesses may be dormant for days, weeks, months, or years. Without a planned defense strategy, security teams must rush to respond by implementing patches based on attack information in a race against hackers to contain the damage.
Exploit costs include:
- Reputational harm, including loss of trust and customer concerns over stolen data
- Financial impact due to the high cost of security breaches
- Compliance violations and fines under data protection regulations
- Potential for cascading failures in interconnected systems
According to a recent IBM report, the average global cost of a data breach reached $4.88 million in 2024.
Identifying zero-day exploits
Signs of a zero-day attack
- Unusual system behavior or performance
- Unexpected data exfiltration
- Anomalous network traffic patterns
- New files or modified system components
- Behavioral analysis and heuristic detection
How are zero-day vulnerabilities discovered?
- Hackers who actively search for vulnerabilities to exploit
- Security organizations that use automated scanning, research, and code analysis
- Infosec researchers who independently analyze code, conduct security assessments
- National security and intelligence agencies that are involved in defense and cyber ops
- Bug bounty programs run by tech companies to incentivize security professionals with rewards
Zero-day exploit marketplace
- White market: Where companies, vendors, and ethical hackers disclose vulnerabilities for bug bounties
- Gray market: Where government and intelligence agencies purchase zero-day exploits for national security purposes and law enforcement activities
- Black market: Where malicious actors purchase exploit software to exploit vulnerabilities
How to prevent a zero-day exploit
Zero-day exploit prevention starts with a strong defense-in-depth strategy, including:
- Zero-trust architecture: Limits lateral movement by verifying every access attempt, regardless of the source
- Least-privilege principles: Restricts user and process access to only what is necessary, reducing the impact of exploitation
- Attack surface management (ASM): Enables security experts to identify and evaluate potential attack vectors within their digital infrastructure
- Penetration testing: Allows organizations to simulate attacks and discover zero-day vulnerabilities ahead of malicious actors
- Behavior-based endpoint detection and response (EDR) solutions: Detects anomalies and suspicious behavior that signature-based tools may miss
- Regular patching of all systems: Reduces the attack surface for known vulnerabilities to minimize the window for exploitation
- Network segmentation: Limits the blast radius of attacks by isolating critical systems and restricting unauthorized communication
- Application control policies: Prevent unauthorized and untrusted applications from executing code
- Threat hunting techniques: Searches for hidden threats, including early indicators of zero-day activity
- AI-powered security monitoring: Identifies unusual patterns and behavior in real-time using machine learning (ML)
- Runtime application self-protection (RASP): Provides in-app threat detection and mitigation during runtime
Zero-day exploit FAQ
What starts a zero-day attack?
Zero-day attacks begin when a bad actor discovers a previously unknown hardware or software vulnerability then exploits it before the manufacturer or software developers have time to release a fix.
How are zero-day exploits rated for severity?
The Common Vulnerability Scoring System (CVSS) rates zero-day exploits. It assigns a score from 0 to 10 based on factors like attack complexity, required privileges, and potential impact.
What is the difference between zero-day and N-day?
While vendors are unaware of zero-day vulnerabilities until a zero-day attack occurs, N-day vulnerabilities are publicly known hardware or software defects and may not have a patch.
What is a 1-day vulnerability?
While security teams are aware of one-day vulnerabilities, they aren’t patched until the following day. In contrast, N-day vulnerabilities have a much longer average mean time to patch (MTTP).
What’s the difference between zero-day and CVE?
Common vulnerabilities and exposures (CVE) refer to publicly disclosed security vulnerabilities involving software or hardware security flaws and often have mitigation strategies. In contrast, zero-day vulnerabilities are undiscovered when software or hardware is publicly released.
Protect against zero-day exploits with Okta
Reduce risk and safeguard your organization with Identity-based security that automates threat detection in real-time.