Zero-day vulnerabilities are among the most feared concepts in cybersecurity. Understanding how they work — and how to defend against them — is essential for any security professional.

What is a Zero-Day?

A zero-day vulnerability is a software security flaw that is unknown to the software vendor and has therefore had "zero days" to be patched. These flaws are valuable precisely because there is no defence against a threat you don't know exists.

The Vulnerability Lifecycle

1. Discovery: A researcher or malicious actor finds a flaw in software
2. Exploitation: An exploit is developed to weaponise the vulnerability
3. Zero-Day Period: The attacker uses the exploit before the vendor knows it exists
4. Disclosure: The vulnerability is reported (responsible disclosure) or leaked/sold
5. Patch Release: The vendor releases a security update
6. Patch Deployment: Organisations apply the patch (often days to months later)

The Zero-Day Market

There is an active market for zero-day exploits. Government buyers (NSA, GCHQ, etc.) pay millions of dollars for zero-days in iOS, Android, and Windows. The NSO Group's Pegasus spyware used multiple iOS zero-days costing an estimated $2.5M per device compromise.

Notable Zero-Days

• Log4Shell (CVE-2021-44228): Affected millions of Java applications. A 10/10 CVSS score. Exploited within hours of public disclosure.
• EternalBlue (MS17-010): NSA-developed exploit leaked by Shadow Brokers. Used in WannaCry and NotPetya ransomware attacks.
• ProxyLogon: Microsoft Exchange vulnerabilities exploited by Chinese state actors before patching.

Defensive Strategies

Patch aggressively (zero-days become N-days after disclosure). Implement defence-in-depth: network segmentation, endpoint detection, behaviour-based monitoring. Keep software inventory updated. Threat intelligence subscriptions provide early warning.