Zero-Day Vulnerability
A zero-day vulnerability is a software flaw that is unknown to the vendor and has no available patch, meaning defenders have had "zero days" to fix it before it can potentially be exploited.
Definition
A zero-day vulnerability is a software flaw that is unknown to the vendor and has no available patch, meaning defenders have had "zero days" to fix it before it can potentially be exploited.
Overview
The term applies both to the vulnerability itself and, once someone actively exploits it, to a "zero-day exploit" or "zero-day attack." Zero-days are especially dangerous because traditional signature-based defenses have nothing to detect — there's no known pattern yet — so organizations must rely on behavioral detection, network segmentation, and rapid incident response rather than a patch that doesn't exist yet. Zero-days are discovered by security researchers, criminal groups, and nation-state actors alike. Researchers who find them typically report responsibly to the vendor (sometimes through a bug bounty program) or disclose publicly after a grace period, giving the vendor time to issue a fix before attackers can widely exploit it. Once a patch is released and applied, the vulnerability is no longer a zero-day, though unpatched systems remain at risk indefinitely. Each disclosed vulnerability is typically catalogued as a CVE (Common Vulnerabilities and Exposures) entry for tracking. Zero-day defense strategy — including patch management cadence and detection tooling — is a core part of offensive and defensive security curricula such as Offensive Security & Penetration Testing.
Key Concepts
- Unknown to the software vendor at the time of discovery or exploitation
- No official patch exists when the vulnerability is first exploited
- Bypasses signature-based detection since no known pattern exists yet
- Discovered by researchers, criminal groups, and nation-state actors
- Often disclosed responsibly through vendor coordination or bug bounty programs
- Cataloged as a CVE once publicly disclosed and tracked
Use Cases
Frequently Asked Questions
From the Blog
Cybersecurity for Developers: The OWASP Top 10 Explained
The OWASP Top 10 is the industry standard list of critical web application security risks. This guide explains each vulnerability, shows what an attack looks like, and gives concrete code fixes that every developer can implement today.
Read More Career GrowthHow to Switch to a Tech Career in 6 Months
A practical, no-fluff guide to transitioning into tech — even if you are starting from zero.
Read More