Zero-day exploits are code vulnerabilities and loopholes that are unknown to software vendors, security researchers and the public. The term “zero day” originates from the time remaining for a software vendor to patch buggy code. With zero days — or zero hours — to respond, developers are vulnerable to attack and have no time to patch the code and block the hole. One bug can give hackers enough access to explore and map internal networks, exfiltrate valuable data and find other attack vectors.

These critical vulnerabilities have severe impacts on businesses, governments and individuals. Cybercriminals and even foreign governments use these exploits to compromise data, disrupt operations and jeopardize national security.

With such high stakes on the line, it is critical for IT, security and business professionals to have a good understanding of how zero-day exploits work in order to grasp their potential impact and devise effective countermeasures.

How do zero-day exploits work?

Zero-day exploits typically follow a multi-step process that begins with the identification of the vulnerability and culminates in the exploit becoming active — at which point data is compromised or there is unauthorized access to a system. We break it down below:

  • Discovery of the vulnerability: The first event involves the discovery of the security flaw in a piece of software, a system or hardware component. If discovered by the vendor, a security patch is usually published and communicated to the public.
  • Exploit creation: Threat actors develop code or a process that can take advantage of the flaw. In order to succeed, they must do this faster than the vendor can roll out a patch to the public.
  • Initial intrusion: Using the exploit code, the attacker infiltrates the target system, with some of the most common attack vectors being buffer overflows, phishing, malicious websites and direct network attacks that exploit protocol flaws.
  • Privilege escalation: After gaining initial access, attackers will attempt to assign themselves greater privileges to execute commands or even control the system entirely.
  • Payload delivery: With greater privileges, the attacker delivers the payload, which could be anything from ransomware to a data extraction script.
  • Data compromise and/or system control: The next step is the actual compromise, whether it is encrypting files for ransom, stealing data or manipulating the system for other purposes.
  • Exit and cover tracks: Sophisticated attackers will often go to great lengths to remove traces of their activities using a number of tactics, such as log manipulation, use of proxy servers, data encryption, file overwriting, timestamp alteration and traffic obfuscation.
  • Sale or sharing of exploits: It is common practice for zero-day exploits to be shared or sold within hacker communities.

According to a 2015 FireEye Survey, a typical zero-day attack lasts an average of eight months. Research by Mandiant shows that zero-day exploits continue at an elevated pace — there were double the number of zero-day attacks in 2022 compared to 2020.

SEE: Learn how ethical hackers are helping to shrink the cybersecurity attack surface.

How do hackers find zero-day vulnerabilities?

The discovery of zero-day vulnerabilities is a combination of technical skill, creativity and sometimes sheer luck. Hackers employ various methods to discover hidden security flaws:

  • Fuzzing: This technique for automated testing involves sending abnormal data to a software application to check if the application crashes or exhibits responses that indicate a potential vulnerability.
  • Reverse engineering: Hackers analyze the architecture and functionality of compiled code by disassembling it into a high level language or intermediate language that is easy to understand, which allows them to identify weak points that can be exploited.
  • Code review: Some hackers examine the source code if available, searching for coding errors or security loopholes that can be taken advantage of.
  • Automated scanning tools: While these tools are commonly used to scan software for known vulnerabilities to be patched, they can be misused for malicious activities.
  • Social engineering: Hackers may employ social engineering techniques to deceive employees into revealing information that can grant access to a system.
  • Public information: Hackers often search forums, social media platforms and other public sources where developers or users might unknowingly disclose information about potential vulnerabilities.
  • Structural comparison of executable objects: Comparing versions of an executable file can unveil programmatic changes, including security patches, allowing hackers to identify vulnerabilities that have and have not been fixed.
  • Bug bounty programs: Some hackers discover vulnerabilities through bug bounty programs, such as Bugcrowd, only to later exploit them.
  • Insider information: In some instances, dissatisfied employees or business partners may disclose information about vulnerabilities, either for financial gain or other reasons.

What are the risks of zero-day exploits?

Zero-day vulnerabilities pose a range of risks that can cause severe harm to businesses, governments and individuals. Zero-day threats present technical challenges as well as significant business risks. The far-reaching implications of these attacks underscore the importance of implementing proactive security measures and maintaining constant vigilance.

PREMIUM: Stay prepared with this security awareness and training policy.

Below are some of the major risks posed by zero-day vulnerabilities:

Financial consequences

Zero-day attacks can lead to substantial financial losses for companies. These include expenses like engaging external experts and implementing emergency security measures, as well as indirect costs such as damage to reputation, loss of customer trust and potential legal liabilities. The financial impact can reach millions of dollars.

Data breaches

Unauthorized access to data is an objective of zero-day exploits. This can result in the theft of information like customer data, intellectual property and trade secrets. For individuals, it means the exposure of details, financial information and more.

Service disruption

Zero-day attacks have the potential to disrupt the functioning of systems and services. Businesses may experience downtime, decreased productivity and service disruptions that undermine customer trust and loyalty.

Compromised infrastructure

With increasing reliance on software in areas like devices and IoT technology, zero-day exploits pose risks not only to digital systems but also to physical infrastructure. Critical infrastructure systems, such as power grids, transportation networks and healthcare facilities, can be vulnerable to attacks with real-world consequences.

Supply chain

Supply chains are also at great risk from zero-day vulnerabilities.

“The unknown unknown is the (hardware) supply chain threat,” Joe Saunders, CEO of RunSage Security, told TechRepublic. “Imagine a cheap component or chip inserted into a mobile device that creates a backdoor for a nation state to exfiltrate data from every consumer’s phone. These threats are very difficult to detect as they may be embedded in standard code.

“Our best security experts need to assist our largest manufacturers, telecommunications, power plants and other physical infrastructure that relies on code.”

Left unsupervised, old code on infected hardware could result in a “disastrous kinetic event,” Saunders said.

Long-term risks

The impact of an exploit can extend beyond the patching of a zero-day vulnerability. Compromised systems may still harbor malware, and any data stolen during a breach can be traded or misused long after the initial incident has occurred.

Industries that would be most affected by zero-day exploits

The general populace and various types of organizations, ranging from small and midsize businesses to large enterprises, are all susceptible to zero-day exploits. However, there are certain industries, organizations and even individuals that are particularly targeted due to the nature of data they hold or the services they provide:

  • High value companies such as financial institutions, healthcare providers and critical infrastructure organizations.
  • Intellectual property holders such as tech companies and research institutions.
  • Political and social entities like government agencies and activists and journalists.
  • E-commerce platforms for online retailers.
  • Individuals such as those with a high net worth or cybersecurity experts.

Examples of zero-day attacks


Identified in 2010 by security researcher Sergey Ulasen, Stuxnet is the most well-known zero-day exploit. It targeted programmable logic controllers that regulated centrifuges used by Iran’s nuclear program. American cyber-experts estimated that the cyberattack set Iranian nuclear ambition back by three to five years.

Stuxnet remains the best-known zero-day and opened a new chapter in modern cyberwar that portends a dystopian future where cyberattacks against physical infrastructure kill and cause billions in damage.


MoveIT is a managed file transfer software. In May 2023, Russian hackers found a flaw in the software and used it to perform ransomware attacks on North American companies via a SQL injection. Hundreds of organizations, including banks, learning institutions and federal government agencies, were affected.


Cytrox, a commercial surveillance company, was outed in 2021 for selling zero-day exploits to government-backed actors. Research by Meta as well as teams of investigative journalists and other researchers found that the company engaged in indiscriminate targeting that included journalists, dissidents, opposition and human rights activists and critics of authoritarian regimes.

How to identify and prevent zero-day exploits

In a threat landscape that’s constantly evolving, it is critical to identify zero-day exploits on a timely basis and stop them. The main challenge is the window of vulnerability — a time frame that delineates the period from when the exploit becomes active to when most systems apply the security patch.

SEE: Explore these tips to help cybersecurity pros protect their organizations.

Since the exploit often becomes active before a patch is made available, vendors and security professionals must remain prepared to implement effective measures. Below are some strategies and best practices to identify and prevent zero-day exploits:

  • Keep software up to date as patches are released to fix known vulnerabilities. However, it’s important to be cautious when updating from unverified sources.
  • Consider intrusion detection systems that can detect unusual patterns or behaviors in networks, which helps with identifying zero-day exploits.
  • Implement endpoint security solutions that offer real-time monitoring and protection against both known and unknown threats.
  • Utilize behavioral analytics tools to identify any unusual user or system behavior, as these could indicate the presence of a zero-day exploit.
  • Educate employees about the risks associated with social engineering attacks, as human error often becomes the entry point for zero-day exploits.
  • Stay informed by subscribing to threat intelligence services that provide real-time information about vulnerabilities and exploits.
  • Conduct regular security audits using a security risk assessment checklist to proactively identify any vulnerabilities in your network and applications.
  • Develop an incident response plan, so security teams can act quickly and cohesively to mitigate the damage caused by a zero-day exploit.
  • Consult with external experts who can provide valuable insights into identifying and preventing zero-day threats when cybersecurity expertise is unavailable.
  • Consider AI technology, as these tools can effectively neutralize zero-day exploits in a proactive manner.

The zero-day ecosystem is evolving quickly and touches every market. For more dedicated training and certification, check out The Complete Ethical Hacking Bootcamp 2023 and the 2023 Complete Cyber Security Ethical Hacking Certification Bundle from TechRepublic Academy.

SEE: Explore all of TechRepublic’s cheat sheets and smart person’s guides.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday