Zero-Day Vulnerabilities: How They Work, Why They Spread, and How to Detect Them Before Damage Is Done
What zero-day vulnerabilities are, how exploit chains work, recent CVEs, and a detection framework using behavioral analysis, SBOM monitoring, and zero trust architecture.
Zero-Day Vulnerabilities: How They Work, Why They Spread, and How to Detect Them Before Damage Is Done
Looking for the Netflix show? This page covers zero-day vulnerabilities in cybersecurity — the real-world software flaws that inspired the series. For the show, head to Netflix's Zero Day page.
Table of Contents
- What Is a Zero-Day Vulnerability?
- Zero-Day vs. Known Vulnerability: The Critical Difference
- How Zero-Day Exploits Work: Anatomy of an Attack
- Real-World Zero-Day Attacks: Recent CVEs That Made Headlines
- Why Zero-Day Vulnerabilities Are Increasing
- Detection: How to Find What Signatures Can't
- Protection Framework: Reducing Your Zero-Day Attack Surface
- Building a Zero-Day Response Plan
- Key Takeaways
What Is a Zero-Day Vulnerability?
A zero-day vulnerability is a software flaw unknown to the vendor — and therefore unpatched. The name refers to the number of days the vendor has had to fix it: zero.
This matters because every defensive tool that relies on known signatures — antivirus, IDS rules, WAF patterns — is blind to it. The vulnerability exists in production, attackers know about it, and there's no patch to deploy.
Three terms get conflated. They shouldn't be:
- Zero-day vulnerability: The flaw itself, present in software but undisclosed to the vendor.
- Zero-day exploit: The code or technique that takes advantage of that flaw.
- Zero-day attack: The real-world use of that exploit against a target.
A vulnerability can exist for months or years before an exploit surfaces. The exploit can circulate in private markets before anyone uses it in an attack. Each stage represents a different risk — and a different detection opportunity.
Zero-Day vs. Known Vulnerability: The Critical Difference
Known vulnerabilities have CVE identifiers, vendor advisories, and patches. Your scanner finds them. Your patch cycle fixes them. The process is well-understood.
Zero-days don't follow that process.
| | Known Vulnerability | Zero-Day Vulnerability | |---|---|---| | Vendor awareness | Yes — CVE assigned | No — undisclosed | | Patch available | Yes, or in progress | No | | Signature detection | Effective | Ineffective | | Primary defense | Patch management | Behavioral detection, segmentation | | Average time to patch | 60–90 days (MTTR) | Unknown until discovery | | Threat actor cost | Low (public exploits) | High ($100K–$2.5M on broker markets) |
The cost difference is significant. A known exploit is free to download. A zero-day exploit for iOS sold for $2 million on the broker market in 2024, according to Zerodium's published price list. That price reflects the value of staying undetected.
How Zero-Day Exploits Work: Anatomy of an Attack
Zero-day exploits follow a predictable chain, even when the vulnerability itself is novel. Understanding the chain exposes where detection and containment are possible.
The Exploit Chain
1. Discovery — A threat actor (or researcher) identifies a flaw. This could be a memory corruption bug, a logic error in authentication, or an API that fails to validate input. Fuzzing tools, source code review, and reverse engineering are common discovery methods.
2. Weaponization — The flaw becomes a working exploit. The attacker builds code that reliably triggers the vulnerability — often accounting for ASLR, DEP, and other memory protections. Sophisticated exploit chains combine multiple vulnerabilities: one for initial access, another for privilege escalation.
3. Delivery — The exploit reaches the target. Common vectors include spear-phishing emails with malicious attachments, watering hole attacks on industry-specific websites, and compromised supply chain updates. The 2020 SolarWinds attack used a poisoned software update — the delivery mechanism itself was trusted.
4. Execution — The exploit fires. On the target system, it triggers the vulnerability and executes attacker-controlled code. This often happens in memory, leaving minimal disk artifacts.
5. Lateral Movement — Initial access is rarely the end goal. The attacker moves through the network — escalating privileges, harvesting credentials, and reaching high-value targets. MITRE ATT&CK documents these techniques under Lateral Movement (TA0008) and Privilege Escalation (TA0004).
6. Objective — Data exfiltration, ransomware deployment, persistent access, or espionage. The zero-day provided the door. Everything after it uses standard post-exploitation tradecraft.
[Diagram suggestion: linear exploit chain flowchart showing Discovery → Weaponization → Delivery → Execution → Lateral Movement → Objective, with detection opportunity markers at Delivery, Execution, and Lateral Movement stages]
Where Detection Is Possible
The exploit itself — stages 1 and 2 — is invisible to defenders. But stages 3 through 6 generate observable behavior. Unusual network connections, unexpected process creation, credential access patterns, and anomalous data transfers all produce indicators of compromise (IOCs) that behavioral detection tools can flag.
This is the core principle: you can't detect the unknown vulnerability, but you can detect what an attacker does after exploiting it.
Real-World Zero-Day Attacks: Recent CVEs That Made Headlines
Abstract definitions only go so far. These incidents show how zero-day vulnerabilities behave in practice.
MOVEit Transfer — CVE-2023-34362
Vulnerability: SQL injection in Progress Software's MOVEit Transfer file-sharing application.
Impact: The Cl0p ransomware group exploited this flaw to steal data from over 2,500 organizations, affecting an estimated 90 million individuals. Victims included the BBC, British Airways, and multiple U.S. federal agencies.
Detection gap: The vulnerability existed in a legitimate file transfer tool. Traffic patterns looked normal. Organizations without application-layer monitoring missed the exfiltration entirely.
Lesson: File transfer tools are high-value targets. Monitor them with the same rigor as internet-facing web applications.
Ivanti Connect Secure — CVE-2024-21887 and CVE-2023-46805
Vulnerability: An authentication bypass chained with a command injection in Ivanti's VPN appliance.
Impact: Threat actors — attributed to China-nexus groups by Mandiant — exploited this chain to access government and defense networks across multiple countries. CISA issued an emergency directive requiring federal agencies to disconnect affected devices.
Detection gap: The VPN appliance itself was the entry point. Attackers used living-off-the-land techniques post-exploitation, avoiding malware that would trigger endpoint alerts.
Lesson: Network edge devices (VPNs, firewalls, load balancers) are prime zero-day targets because they sit outside typical EDR coverage.
Google Chrome V8 — CVE-2025-0291
Vulnerability: Type confusion bug in Chrome's V8 JavaScript engine, actively exploited in the wild in early 2025.
Impact: Allowed remote code execution through a crafted web page. Google patched it within days of discovery, but the exploitation window was used in targeted attacks against specific organizations.
Lesson: Browser zero-days remain a preferred delivery mechanism. Network segmentation limits what an attacker gains even when browser exploitation succeeds.
The Numbers
Google's Threat Analysis Group tracked 97 zero-day vulnerabilities exploited in the wild during 2024 — up from 62 in 2023. Of those, 36% targeted enterprise-specific products (network appliances, security tools, file transfer software) rather than consumer applications like browsers and mobile OS.
That shift matters. Enterprise products often lack the rapid patch cycles and bug bounty programs that consumer software benefits from.
[Diagram suggestion: bar chart showing zero-day exploitation trends 2020–2025, with enterprise vs. consumer product breakdown]
Why Zero-Day Vulnerabilities Are Increasing
Three structural factors drive the increase — not just "more attackers."
Expanding Attack Surface
The average enterprise now runs workloads across on-premises infrastructure, multiple cloud providers, SaaS applications, and edge devices. Each component introduces code from different vendors with different security maturity levels. More code means more flaws. A 2024 Synopsys audit found that 96% of commercial codebases contained open-source components, and 84% contained at least one known vulnerability. The unknown ones don't show up in audits.
The Broker Market
Zero-day exploits are commodities. Firms like Zerodium and government contractors purchase them openly. Zerodium's public price list tops out at $2.5 million for a full-chain Android exploit. State-sponsored groups maintain internal exploit development teams. The financial incentive to discover and hoard — rather than disclose — is enormous.
Software Complexity and Supply Chains
Modern applications depend on deep dependency trees. A single Node.js project averages 200+ transitive dependencies. Each one is a potential zero-day vector. The XZ Utils backdoor (CVE-2024-3094) demonstrated this: a threat actor spent two years gaining maintainer trust on an obscure compression library, then inserted a backdoor targeting SSH authentication. The supply chain is only as strong as its least-reviewed component.
Detection: How to Find What Signatures Can't
Signature-based detection fails against zero-days by definition. These five approaches detect attacker behavior regardless of the vulnerability used.
1. Behavioral Analysis and EDR
Endpoint detection and response platforms monitor process behavior, not file signatures. When an exploit triggers a legitimate application to spawn an unexpected child process, inject into another process's memory space, or initiate an outbound connection to an unfamiliar IP — EDR flags the anomaly.
What to monitor: Process creation chains, unusual parent-child relationships, in-memory execution patterns, and registry modifications inconsistent with application behavior.
2. Network Traffic Analysis
Zero-day exploits may be invisible, but command-and-control traffic isn't. Network detection tools analyze traffic metadata — connection timing, data volume, destination reputation, protocol anomalies — to identify post-exploitation communication.
What to monitor: DNS queries to newly registered domains, beaconing patterns (regular interval callbacks), encrypted traffic to unusual destinations, and data transfers exceeding normal baselines for a given system.
3. Threat Intelligence Integration
Threat intelligence feeds won't contain the zero-day itself, but they provide context about active threat actor TTPs (tactics, techniques, and procedures). If a threat actor group is known to target your industry using specific lateral movement techniques, you can write detection rules for those techniques regardless of the initial access vector.
What to integrate: MITRE ATT&CK technique mappings, industry-specific threat reports, IOC feeds focused on infrastructure (IPs, domains) rather than file hashes.
4. Software Bill of Materials (SBOM) Monitoring
An SBOM catalogs every component in your software stack. When a zero-day is disclosed, an accurate SBOM tells you within minutes whether you're affected. Without one, you're running vulnerability scans and hoping for the best.
What to track: All third-party libraries, their versions, their transitive dependencies, and their update frequency. Automate SBOM generation in your CI/CD pipeline.
5. Deception Technology
Honeypots, honeytokens, and decoy credentials detect attackers during lateral movement. A zero-day gets an attacker through the front door — but when they touch a canary file or query a decoy database, you get an alert with zero false positives.
What to deploy: Canary tokens in file shares, decoy credentials in memory, honey databases with tripwire queries, and fake admin accounts that trigger on authentication.
[Diagram suggestion: detection layer diagram showing Perimeter → Network → Endpoint → Application → Deception, with relevant detection methods mapped to each layer]
Protection Framework: Reducing Your Zero-Day Attack Surface
You can't patch what you don't know about. But you can architect your environment so a single exploited vulnerability doesn't lead to full compromise.
Zero Trust Architecture
Assume every network segment is compromised. Require authentication and authorization for every access request — not just at the perimeter.
Implementation priorities:
- Microsegmentation between workloads (limit lateral movement paths)
- Identity-based access controls with continuous verification
- Least-privilege access for all service accounts and users
- Encrypted east-west traffic between internal services
Patch Cadence and Virtual Patching
You can't patch a zero-day, but you can reduce your exposure to the exploit chain that follows it. Aggressive patching of known vulnerabilities denies attackers the second and third links in multi-vulnerability exploit chains.
Target metrics:
- Critical vulnerabilities: patch within 48 hours
- High-severity: patch within 7 days
- Virtual patching (WAF rules, IPS signatures) deployed within 24 hours of vendor advisory
Application Hardening
Reduce what an exploit can do even when it fires successfully.
- Memory protections: Enforce ASLR, DEP, and Control Flow Integrity (CFI) across all production systems
- Application sandboxing: Run browsers and document viewers in isolated containers
- Privilege reduction: Applications run as least-privilege accounts — not root, not admin, not SYSTEM
Network Segmentation
Flat networks are a zero-day attacker's best friend. One exploited system gives access to everything.
Segment by function: production databases shouldn't be reachable from workstations. Development environments shouldn't share credentials with production. OT networks shouldn't touch IT networks at all.
Building a Zero-Day Response Plan
Detection without response is just observation. A zero-day response plan maps each detection signal to a containment action.
Response Timeline
| Timeframe | Action | |---|---| | 0–15 minutes | Isolate affected system from network. Preserve memory dump and disk image for forensics. | | 15–60 minutes | Identify scope: which other systems communicate with the affected host? Check SBOM for shared vulnerable components. | | 1–4 hours | Deploy virtual patches or compensating controls. Block known IOCs at firewall and DNS. Notify incident response team. | | 4–24 hours | Complete forensic analysis. Determine attacker objectives and lateral movement paths. Apply vendor patch if available. | | 24–72 hours | Conduct threat hunt across environment for related IOCs. Update detection rules. Brief leadership on scope and impact. |
Mean Time to Detect and Respond
Two metrics define your zero-day readiness:
- MTTD (Mean Time to Detect): The average time between initial compromise and detection. IBM's 2024 Cost of a Data Breach report places the global average at 194 days. Organizations with behavioral detection and threat intelligence integration reduce this to under 30 days.
- MTTR (Mean Time to Respond): Time from detection to containment. The benchmark difference is stark: organizations with an incident response plan and regular tabletop exercises average 54 days shorter MTTR than those without.
Reducing MTTD by even 30 days significantly limits data exfiltration volume and attacker entrenchment.
Get the Zero-Day Response Checklist — a step-by-step detection and containment framework you can deploy this week. Practical steps mapped to MITRE ATT&CK — built for security teams, not slide decks.
Key Takeaways
- A zero-day vulnerability is a flaw with no patch. The exploit targets the flaw. The attack uses the exploit. Each stage presents different risks and different detection opportunities.
- Signature-based tools can't detect zero-days. Behavioral analysis, network monitoring, SBOM tracking, and deception technology detect attacker actions after exploitation.
- Enterprise products — VPNs, file transfer tools, network appliances — now account for 36% of exploited zero-days. These sit outside traditional EDR coverage and require dedicated monitoring.
- Zero trust architecture, microsegmentation, and aggressive patch cadence don't prevent zero-day exploitation. They limit what an attacker achieves after exploitation — which is the realistic defensive goal.
- MTTD and MTTR are the metrics that matter. Faster detection and practiced response plans are the measurable difference between a contained incident and a headline breach.
Related reading: