Zero-Day Vulnerabilities: What They Are and Why They're Dangerous

A zero-day vulnerability is a security flaw in software that the vendor doesn't know about — and therefore hasn't patched. The name comes from the number of days the developer has had to fix it: zero. While it remains unpatched and unknown to defenders, attackers who know about it have a free pass into any system running the vulnerable software.

The Discovery-to-Patch Timeline

The lifecycle of a zero-day has several stages. Discovery — a researcher or attacker finds the vulnerability. Weaponisation — an exploit is written that turns the vulnerability into an attack tool. Deployment — the exploit is used in attacks. Disclosure — someone (ideally the researcher) tells the vendor. Development — the vendor creates a patch. Distribution — users install the patch. The dangerous window is everything between discovery and distribution.

In 2021, a zero-day in Microsoft Exchange Server (ProxyLogon) was exploited by Chinese state-sponsored hackers for months before Microsoft discovered it. Within 72 hours of Microsoft releasing a patch, over 30,000 US organisations had been compromised — attackers raced to exploit systems before patches could be applied. The patch existing doesn't help if nobody installs it.

The Zero-Day Market

Zero-day vulnerabilities in widely used software are valuable enough to buy and sell. Zerodium, a broker, publicly advertises prices: up to $2.5 million for a zero-day chain that achieves remote code execution on a fully patched iPhone with no user interaction. Governments and intelligence agencies are major buyers — they want exploits to use in offensive operations and don't want vendors to know about them.

Wait — this matters. When a government buys a zero-day and uses it operationally, they make a deliberate choice not to disclose it to the vendor and fix it. Every organisation running that software remains vulnerable. This is the VEP (Vulnerabilities Equities Process) debate: should governments use or disclose vulnerabilities they find?

How to Reduce Your Exposure

You can't patch a zero-day before the patch exists. What you can do: reduce your attack surface by minimising exposed services and software, apply patches the day they're released (especially critical patches), use endpoint detection tools that look for exploit behaviour rather than known signatures, and segment your network so a compromise in one area doesn't spread instantly.