Threat Intelligence

Zero-Day Vulnerabilities

8 min read·Updated 2026-04-26
TL;DR

A zero-day vulnerability is one being exploited before a patch exists. They are dramatic, expensive, and statistically rare. The much larger problem is N-days: known vulnerabilities with patches available that attackers exploit because nobody applied the patch. CISA's Known Exploited Vulnerabilities catalogue is the most useful prioritisation signal defenders have, and the gap between KEV listing and patching is where most preventable breaches live.

What it is

The term "zero-day" comes from the number of days the defenders have had to patch when exploitation begins: zero. The vulnerability is being used in the wild before the vendor has issued a fix.

Once a patch exists, the vulnerability stops being a zero-day. From that moment on it is an N-day, where N is the number of days since the patch shipped. After 30 days, it is a 30-day. After 90, a 90-day. After several years, often still a real risk for organisations that have not patched.

People use "zero-day" loosely. In strict usage:

  • Zero-day vulnerability. A flaw the vendor does not yet know about, or knows about but has not patched.
  • Zero-day exploit. A working exploit for a vulnerability with no patch available.
  • Zero-day attack. Exploitation of a zero-day vulnerability against a target.

Some practitioners distinguish further between vulnerabilities that are publicly known but unpatched and ones still entirely unknown. The distinction matters less to the defender than the fact that no fix exists yet.

Why N-days dominate

The dramatic narrative around zero-days makes them feel like the central threat. The data does not support that.

Across multiple years of major ransomware analysis, threat intel reporting, and incident response statistics, the consistent picture is:

  • Most ransomware attacks exploit CVEs that are 30 to 90 days old, sometimes years old.
  • Most initial access in commodity attacks uses vulnerabilities patched at least three months earlier.
  • Genuinely novel zero-days account for a small fraction of overall attack volume, even if they generate a large fraction of news coverage.

The reason is economic. A zero-day that works costs anywhere from tens of thousands to several million dollars in the legitimate broker market. Burning it on a ransomware attack against a mid-size company is bad ROI. Reusing a known exploit against the long tail of unpatched targets costs nothing and works just as well.

There is sometimes a distinction made between targeted attacks (where well-resourced adversaries do use zero-days) and commodity attacks (where they almost never do). Both are real, and the typical organisation is much more likely to be hit by the second category.

The zero-day market

Zero-days are bought, sold, and stockpiled. The market has roughly three layers.

Legitimate brokers. Companies that buy vulnerabilities from researchers and sell to government customers. Zerodium is the best-known publicly. Pricing is transparent: a full-chain iOS persistent exploit was advertised at $2.5 million. A zero-click WhatsApp RCE has gone for similar amounts. Android, browsers, and major enterprise software all have published price lists.

Government and contractor channels. The NSA, GCHQ, and equivalents in many countries develop or purchase zero-days for intelligence operations. Commercial spyware firms (NSO Group, Candiru, Intellexa) supply governments with surveillance toolkits built around zero-day chains. Pegasus is the most discussed example.

Underground markets. Less polished, lower prices, more variable quality. Mostly older or less reliable exploits, sometimes leaks of upstream broker stock, sometimes original research from criminals.

The pricing reflects the value. An iOS zero-click chain is expensive because it lets a state intelligence service compromise a target's phone with no user interaction. A vulnerability in a niche enterprise product is cheaper because the target population is smaller. The same vulnerability ships through several layers of buyer before an exploit either gets used and burned or eventually becomes public.

When a zero-day is used at scale, it tends to burn fast. Detection improves, the vendor patches, and the exploit's value collapses within weeks.

Recent significant zero-days

A short tour of zero-days that mattered in the past few years:

Pegasus exploitation chains (ongoing). NSO Group's Pegasus has used a series of zero-day chains against iOS and Android since at least 2016. FORCEDENTRY (CVE-2021-30860) was a notable iMessage zero-click discovered in 2021. The chains keep evolving and Apple has shipped Lockdown Mode partly in response.

Operation Triangulation (2023). A multi-year campaign against iOS devices using a chain of four zero-days, disclosed by Kaspersky after they found their own executives had been targeted. The operation showcased extraordinary technical sophistication.

MOVEit Transfer, CVE-2023-34362. A SQL injection in Progress Software's MOVEit file transfer product. The Cl0p ransomware group exploited it as a zero-day starting in May 2023, hitting hundreds of organisations including major government bodies and Fortune 500 companies. The breach affected an estimated tens of millions of individuals.

Ivanti Connect Secure, 2024. Multiple zero-days (CVE-2023-46805, CVE-2024-21887, CVE-2024-21893) in Ivanti VPN appliances exploited by suspected nation-state actors. CISA issued an emergency directive ordering federal agencies to disconnect affected appliances.

ConnectWise ScreenConnect, CVE-2024-1709. An authentication bypass in remote management software, exploited within days of disclosure by ransomware affiliates. The flaw was simple (path traversal in setup) and the exploitation rate was extreme because the affected software is widely deployed by managed service providers, making each compromise potentially a stepping stone to many downstream targets.

The pattern is consistent. Zero-days in widely deployed enterprise software (file transfer, VPN, remote management, edge devices) are particularly damaging because attackers can hit hundreds or thousands of organisations from a single exploit.

CISA KEV: the most useful list defenders have

The CISA Known Exploited Vulnerabilities catalogue (KEV) is a list of CVEs that the U.S. Cybersecurity and Infrastructure Security Agency has confirmed are being actively exploited. Inclusion criteria are narrow:

  1. The vulnerability has a CVE assigned.
  2. There is reliable evidence of active exploitation in the wild.
  3. There is a clear remediation path (a patch, a workaround, a configuration change).

When a CVE lands on KEV, federal agencies are required to remediate within a deadline (typically two to three weeks). The list is updated continuously, often within days of new exploitation evidence.

For private sector defenders, KEV serves as a prioritisation signal that beats CVSS scores by a wide margin. A CVSS 9.8 that is not on KEV is theoretically critical but is not currently being attacked. A CVSS 7.2 that is on KEV is being exploited right now. The latter deserves more urgency than the former.

A handful of related signals augment KEV:

  • EPSS (Exploit Prediction Scoring System). Probability that a CVE will be exploited in the next 30 days. Useful complement to KEV for vulnerabilities not yet confirmed exploited.
  • Vendor advisories. Microsoft, Apple, Google, Cisco, and others increasingly flag exploitation status in their advisories.
  • Threat intel feeds. Commercial and open-source intel sources track exploitation by malware family or actor, sometimes faster than KEV.

The combination of KEV plus EPSS plus internal asset and exposure context outperforms any single score on its own.

How attackers exploit zero-days

Zero-day operations have a different rhythm from N-day exploitation.

For targeted operations:

  1. Acquire or develop. Either buy from a broker, develop in-house, or repurpose a leak.
  2. Profile the target. Confirm the target runs the affected software and version. Map the surrounding environment.
  3. Deliver carefully. Zero-days are valuable. Defenders should not see them. Targeting is precise to avoid burning the exploit through unnecessary distribution.
  4. Achieve objectives quietly. Persistence, lateral movement, exfiltration. The longer the operation runs without detection, the more value the zero-day yielded.
  5. Hope it stays unknown. Once exploitation is detected, the clock starts. Sometimes detection itself prompts an emergency patch within days.

For mass exploitation (as with MOVEit or ScreenConnect):

  1. Identify a vulnerability in widely deployed software. Often shadow assets that organisations forgot were there.
  2. Develop a reliable exploit. Stable across many versions and configurations.
  3. Spray. Hit every vulnerable instance reachable on the internet, often within days.
  4. Cash out. Ransomware deployment, data exfiltration for extortion, or sale of access to other actors.

The window between disclosure and mass exploitation can be hours. Cisco, Fortinet, and Citrix appliance vulnerabilities have been weaponised within 24 hours of public disclosure several times in the past three years.

How to detect zero-day exploitation

Detection without prior knowledge is hard. Generic indicators:

  • Behavioural anomalies on internet-facing assets. A VPN appliance suddenly making outbound connections to unfamiliar destinations. A file transfer server running shell commands. A web server spawning processes it has never spawned before.
  • EDR detections of post-exploitation behaviour. Even if the initial access is a zero-day, the actions that follow (privilege escalation, lateral movement, persistence, defence evasion) often match known patterns.
  • Network anomalies. Outbound traffic to known C2 infrastructure, traffic to unusual countries, or unexpected protocols.
  • Threat intel matching. When a vendor or researcher publishes IOCs for a zero-day, hunting against historical logs can surface earlier compromise.
  • Honeypots and canary tokens. Detection mechanisms that give zero false positives can catch exploitation that legitimate tools miss.

Most successful zero-day detections come from the second-stage activity, not from catching the exploit itself.

How to remediate

When a zero-day relevant to your environment is disclosed:

  1. Confirm exposure. Asset inventory plus discovery should already tell you whether the affected product is in your environment, and whether it is reachable from where it would be exploited.
  2. Apply mitigations immediately. Vendor workarounds, network restrictions, taking the service offline if it is non-critical. Mitigations that buy time before patching are often as important as the patch.
  3. Patch when available. Speed matters. The window between disclosure and weaponised exploitation is closing.
  4. Hunt for compromise. Even if you patch quickly, you may already be compromised. Run targeted threat hunts against the specific IOCs and TTPs reported.
  5. Increase monitoring on adjacent systems. If the affected product is breached, attackers often pivot. Watch for unusual activity from systems that the affected product trusted.
  6. Communicate. Internal stakeholders need to know. External stakeholders (customers, regulators, partners) may need to know depending on impact and obligations.

For zero-days listed on KEV with confirmed exploitation, the priority is unambiguous: patch now, hunt yesterday.

Best practices

  • Maintain accurate asset inventory. You cannot remediate what you cannot find. Discovery is the foundation.
  • Subscribe to KEV updates. Treat new KEV entries as potential P1 incidents until confirmed otherwise.
  • Track edge devices closely. VPN, firewall, file transfer, remote management. These are the targets that yield the highest-impact zero-days.
  • Reduce internet exposure of management interfaces. Most edge device zero-days require reachability. VPN-gating admin interfaces eliminates most of the risk.
  • Patch quickly for known issues. Zero-days are rare. The common path to compromise is through unpatched N-days. Patching cadence beats almost any other control.
  • Defence in depth. EDR, network segmentation, least privilege. When an initial access works, these are what limit blast radius.
  • Practise the response. Tabletop a "MOVEit-style mass-exploitation event happens to vendor X you depend on." The first time you do this should not be during a real incident.

The 99% problem

A clarifying thought experiment for any security team:

If you patched every CVE on the KEV list within 48 hours of being added, you would prevent the overwhelming majority of breaches that actually happen to organisations like yours. Not because zero-days do not exist. Because most attackers, including ransomware groups, use known vulnerabilities you had time to patch.

The headline-grabbing zero-day matters. Targeted threats, regulated industries, and high-value targets cannot ignore it. But the boring middle of vulnerability management (knowing what you own, knowing what is on KEV, patching quickly) does more for risk reduction than any tooling investment aimed at the unknown unknown.

That is the unglamorous truth most exposure management programmes are built around in 2026.

ScruteX maps your external attack surface to KEV-listed CVEs, so when a known-exploited vulnerability matches your stack, you find out immediately.

Learn more

Further reading

Initial Access Brokers

How initial access brokers operate as a specialised criminal layer feeding ransomware affiliates, what they sell, where they sell it, and what their activity reveals about your exposure.