100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cybersecurity

Zero-Day Vulnerability

IntermediateConcept5.6K learners

A zero-day vulnerability is a software flaw that is unknown to the vendor and has no available patch, meaning defenders have had "zero days" to fix it before it can potentially be exploited.

Definition

A zero-day vulnerability is a software flaw that is unknown to the vendor and has no available patch, meaning defenders have had "zero days" to fix it before it can potentially be exploited.

Overview

The term applies both to the vulnerability itself and, once someone actively exploits it, to a "zero-day exploit" or "zero-day attack." Zero-days are especially dangerous because traditional signature-based defenses have nothing to detect — there's no known pattern yet — so organizations must rely on behavioral detection, network segmentation, and rapid incident response rather than a patch that doesn't exist yet. Zero-days are discovered by security researchers, criminal groups, and nation-state actors alike. Researchers who find them typically report responsibly to the vendor (sometimes through a bug bounty program) or disclose publicly after a grace period, giving the vendor time to issue a fix before attackers can widely exploit it. Once a patch is released and applied, the vulnerability is no longer a zero-day, though unpatched systems remain at risk indefinitely. Each disclosed vulnerability is typically catalogued as a CVE (Common Vulnerabilities and Exposures) entry for tracking. Zero-day defense strategy — including patch management cadence and detection tooling — is a core part of offensive and defensive security curricula such as Offensive Security & Penetration Testing.

Key Concepts

  • Unknown to the software vendor at the time of discovery or exploitation
  • No official patch exists when the vulnerability is first exploited
  • Bypasses signature-based detection since no known pattern exists yet
  • Discovered by researchers, criminal groups, and nation-state actors
  • Often disclosed responsibly through vendor coordination or bug bounty programs
  • Cataloged as a CVE once publicly disclosed and tracked

Use Cases

Nation-state cyber-espionage campaigns exploiting unpatched software
Criminal ransomware operations exploiting zero-days for initial access
Bug bounty hunters discovering and responsibly disclosing flaws for reward
Vendors issuing emergency out-of-cycle patches in response to active exploitation
Security teams deploying virtual patching (WAF rules) while awaiting an official fix

Frequently Asked Questions

From the Blog