What Is a Zero-Day Vulnerability and How Exploits Get Discovered

What Is a Zero-Day Vulnerability?

A zero-day vulnerability (often written as 0-day) is a software security flaw that is unknown to the software vendor, security community, and therefore has no available patch or remediation at the time it is exploited. The term originates from the idea that the vendor has had zero days to address and fix the problem. Once a vulnerability becomes publicly known and a patch is released, it is no longer technically a zero-day — it becomes an n-day vulnerability, where n represents the number of days since public disclosure.

Zero-days are among the most valuable assets in offensive cybersecurity because they can be exploited against fully patched systems with no available defense. This makes them particularly prized by nation-state intelligence agencies, advanced persistent threat (APT) groups, and sophisticated criminal organizations. A reliable, weaponized zero-day exploit targeting a widely deployed platform (such as Windows, iOS, or popular enterprise software) can command prices ranging from tens of thousands to millions of dollars on the vulnerability market.

How Zero-Day Vulnerabilities Are Discovered

Zero-day vulnerabilities are discovered through several different processes, each with different motivations and outcomes. Security researchers — both independent and employed by security companies — proactively analyze software for flaws through a combination of manual code review, automated static and dynamic analysis, and fuzzing (automated generation of unexpected inputs to trigger crashes or unexpected behaviors that indicate potential vulnerabilities). Fuzzing tools like AFL (American Fuzzy Lop) have been responsible for discovering thousands of previously unknown vulnerabilities in widely used software.

Researchers may also discover vulnerabilities through reverse engineering — analyzing compiled software binaries to understand their structure and logic without access to source code. Binary analysis tools and techniques allow skilled researchers to identify memory corruption issues, logic errors, and authentication bypasses in closed-source software. Additionally, when a vendor releases a patch for a known vulnerability, researchers will sometimes perform patch diffing — comparing the pre-patch and post-patch code to understand the exact nature of the fix and identify whether similar patterns of vulnerability exist elsewhere in the same codebase.

The Vulnerability Market: Bug Bounties to Gray Markets

Once discovered, a zero-day can follow several paths. Responsible disclosure (also called coordinated vulnerability disclosure) is the security community's preferred approach: the researcher notifies the vendor privately, gives them a reasonable time (typically 90 days, as advocated by Google Project Zero) to develop and release a patch, and only then publishes details. This process allows users to receive a patch before public knowledge of the vulnerability creates a rush by malicious actors to exploit it. Many major technology companies operate formal bug bounty programs that pay researchers for responsibly disclosed vulnerabilities — payouts can range from a few hundred dollars to over $1 million for critical iOS or Android vulnerabilities.

A separate and controversial gray market exists for zero-days not disclosed to vendors. Companies such as Zerodium publicly offer to purchase zero-day exploits from researchers, with published payout schedules reaching $2.5 million for full iPhone exploit chains. Governments and defense contractors purchase these exploits for offensive intelligence operations. The ethics of this market are heavily debated: proponents argue that governments need offensive capabilities for legitimate intelligence and national security operations; critics argue that stockpiling vulnerabilities rather than disclosing them to vendors puts billions of ordinary users at risk — a concern illustrated by the 2017 leak of NSA-developed exploits (including EternalBlue, which was subsequently weaponized in the WannaCry and NotPetya attacks).

Weaponizing a Zero-Day: The Exploit Chain

Discovering a vulnerability is only the first step — turning a software bug into a reliable, weaponized exploit requires substantial additional technical work. A vulnerability is the flaw; an exploit is the code that takes advantage of that flaw to achieve a specific malicious outcome. Common vulnerability classes include memory corruption issues (buffer overflows, use-after-free, heap corruption), logic errors (authentication bypasses, privilege escalation flaws), and injection vulnerabilities (code or command injection through improper input handling).

Modern operating systems and applications implement multiple layers of exploit mitigations that make turning vulnerabilities into reliable exploits increasingly difficult. These include Address Space Layout Randomization (ASLR) — which randomizes where code and data are loaded in memory, preventing attackers from hardcoding target addresses — and Data Execution Prevention (DEP/NX) — which prevents code execution from data memory regions. To bypass these mitigations, sophisticated exploit authors often chain multiple vulnerabilities together: an initial bug to achieve limited access, followed by a bypass of ASLR to find target addresses, followed by a technique to circumvent DEP and execute arbitrary code. These multi-stage exploit chains targeting hardened platforms are extraordinarily complex to develop and correspondingly rare and valuable.

Notable Zero-Day Attacks

Several real-world zero-day attacks illustrate the range of actors and impacts involved. Stuxnet (discovered 2010), widely attributed to U.S. and Israeli intelligence, used four previously unknown Windows zero-days to deliver a highly targeted payload that physically damaged Iranian nuclear centrifuges — the first publicly known cyberweapon designed to cause physical destruction. EternalBlue was a zero-day in Windows SMB developed by the NSA, stolen in the 2017 Shadow Brokers leak, and subsequently used in both the WannaCry ransomware attack (affecting 200,000+ organizations worldwide) and the NotPetya destructive attack (causing over $10 billion in global damages).

The FORCEDENTRY exploit, documented by Citizen Lab and analyzed by Google Project Zero in 2021, was a sophisticated zero-click iOS exploit (requiring no user interaction) developed by the NSO Group and used to compromise the iPhones of journalists, activists, and political figures worldwide through the Pegasus spyware. The Log4Shell vulnerability (CVE-2021-44228) in the widely used Log4j Java logging library became one of the most widely exploited vulnerabilities in history within days of disclosure, demonstrating the catastrophic reach of flaws in ubiquitous open-source dependencies.

Defending Against Zero-Days

By definition, zero-day exploits cannot be prevented through patching alone because no patch yet exists. Defense relies on additional strategies. Defense in depth — layering multiple security controls so that exploitation of a single vulnerability does not directly lead to catastrophic outcome — is the fundamental principle. Even if an attacker exploits a zero-day to gain initial access, network segmentation, privilege minimization, and monitoring can contain the damage.

• Endpoint Detection and Response (EDR): Behavioral detection can identify exploit-like activity (unusual memory access patterns, privilege escalation attempts) even for unknown vulnerabilities.
• Application sandboxing: Running applications in isolated environments (as modern browsers and mobile OS apps do) limits the damage an exploit can cause.
• Network traffic analysis: Unusual outbound connections from compromised systems can be detected even when the exploit vector is unknown.
• Rapid patch deployment: While zero-days cannot be patched before disclosure, rapid patch deployment for known vulnerabilities reduces the attack surface and frees security teams to focus monitoring resources on truly unknown threats.
• Threat intelligence: Subscribing to threat intelligence feeds that provide early warning of active exploits — sometimes before patches are available — enables faster defensive response.