Zero-day exploits: What are they and how can you protect against them?

Explore the challenge of vulnerabilities exploited before fixes. Learn how to address security gaps and protect against threats in this insightful discussion.

Conor O Neill
CEO and Co-founder

Zero-day exploits are one of the most serious cybersecurity threats facing organisations today. These attacks use unknown vulnerabilities to breach systems before developers can release protective patches, giving attackers a critical window of opportunity.

Understanding what zero-day exploits are and how to defend against them is essential for any organisation serious about cybersecurity.

What is a zero-day exploit?

A zero-day exploit is a cyberattack that takes advantage of a previously unknown security vulnerability in software, hardware, or firmware. The term “zero-day” refers to the fact that developers have had zero days to fix the vulnerability before attackers exploit it.

Here’s how the timeline works:

Day zero: A vulnerability exists in software, but no one knows about it yet
Discovery: Either attackers or security researchers discover the flaw
Exploitation: If attackers find it first, they develop an exploit and begin attacking systems
Public disclosure: The vulnerability becomes known to vendors and the public
Patch development: Software vendors create and test a fix
Patch release: The update becomes available to users

The danger period is between exploitation and patch deployment – during this window, systems remain vulnerable with no official protection available.

Zero-day vulnerability vs zero-day exploit vs zero-day attack

These terms are often used interchangeably, but they mean different things:

Zero-day vulnerability: The undiscovered security flaw itself – a weakness in software that hasn’t been identified or patched
Zero-day exploit: The method or code that attackers use to take advantage of the vulnerability
Zero-day attack: The actual malicious activity carried out using the zero-day exploit to compromise systems, steal data, or cause damage

How do attackers discover zero-day exploits?

Understanding how zero-days are found helps explain why they’re so prevalent.

Fuzzing and automated testing: Attackers use automated tools to test software with unexpected inputs, searching for crashes or unexpected behaviour that might indicate vulnerabilities
Code analysis: Reverse engineering software or analysing leaked source code to identify potential security flaws
Bug bounty programmes: While ethical researchers report findings through official channels, the same techniques could be used maliciously
Insider knowledge: Sometimes attackers have inside information about software architecture or development practices
Supply chain access: Compromising development tools or processes to introduce vulnerabilities intentionally

Why zero-day exploits are so dangerous

Zero-day exploits pose unique challenges that make them particularly threatening:

No existing defences

Traditional antivirus and security software rely on signature-based detection – they recognise threats based on known patterns. Zero-day exploits, by definition, have no known signatures, allowing them to bypass conventional defences.

Immediate risks to all users

When a zero-day vulnerability exists in widely used software (like Windows, Chrome, or popular business applications), millions of users become simultaneously vulnerable. Attackers can achieve massive scale quickly.

High-value targets

Zero-day exploits are expensive and difficult to develop. They’re often sold on underground markets for hundreds of thousands of even millions of pounds, or reserved for high-value targets:

Government agencies and critical infrastructure
Large enterprises with valuable intellectual property
Financial institutions
Healthcare organisations with sensitive patient data

Extended exposure windows

Even after vendors release patches, many organisations take weeks or months to deploy them. This extended vulnerability window gives attackers ample opportunity for exploitation.

Real-world zero-day exploit examples

These examples show how zero-day exploits affect all software vendors and that attackers actively exploit these vulnerabilities at scale.

Log4shell

Log4shell was a zero-day vulnerability in the widely used Log4j logging library that affected hundreds of millions of devices in December 2021. Attackers could execute arbitrary code on vulnerable servers, leading to widespread compromise attempts across industries.

Microsoft Exchange Server

In March 2021, a series of zero-day vulnerabilities in the Microsoft Exchange Server allowed attackers to access email accounts and install additional malware. Tens of thousands of organisations globally were compromised before patches became available.

Google Chrome

Google patched multiple zero-day vulnerabilities in Chrome throughout 2025, several of which were actively exploited. These flaws allowed attackers to execute malicious code through specially crafted web pages.

Apple

Earlier this year, Apple released an emergency update for a zero-day vulnerability that allowed attackers to gain device control, demonstrating that even the most security-conscious vendors face zero-day threats.

How can you protect against zero-day exploits?

The main challenge with zero-day exploits is that you can’t patch a vulnerability you don’t know exists. However, this doesn’t mean you’re defenceless. Effective zero-day protection relies on layered security strategies that don’t depend on knowing about specific threats.

Conduct regular penetration testing

Penetration testing simulates real-world attacks, including techniques that might be used in zero-day exploits. While testers can’t find unknown vulnerabilities in third-party software, they can:

Identify configuration weaknesses that would allow zero-day exploits to spread
Test whether your detection and response capabilities work against unknown threats
Validate that your defence-in-depth strategy actually provides layered protection
Reveal gaps in patch management that leave known vulnerabilities unaddressed

Regular testing ensures your defences work as intended when facing sophisticated attacks.

Implement defence-in-depth security

Don’t rely on a single security control. Multiple layers ensure that if one defence fails, others remain:

Network segmentation: Isolate critical systems so that breaching one segment doesn’t compromise your entire infrastructure
Principle of least privilege: Limit user and application permissions to the minimum necessary. Even if attackers exploit a vulnerability, restricted access limits potential damage
Application whitelisting: Only allow approved applications to run, preventing unknown malicious code execution
Endpoint protection: Modern endpoint detection and response (EDR) tools use behavioural analysis to identify suspicious activity rather than just known malware signatures.

Keep all software updated

While you can’t patch unknown vulnerabilities, keeping software current ensures you’re protected against all known threats:

Enable automatic updates wherever possible
Prioritise critical security patches
Maintain an inventory of all software to ensure nothing is overlooked
Don’t delay patches – the window between release and widespread exploitation is often measured in hours

The faster you patch known vulnerabilities, the smaller your overall attack surface for both known and unknown threats.

Deploy advanced threat detection

Behavioural analysis and machine learning-based security tools can identify zero-day exploits by detecting anomalous activity:

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS): Monitor network traffic for suspicious patterns and can block potential exploits even without specific signatures
Security Information and Event Management (SIEM): Aggregates security data across your environment, using analytics to identify unusual activity that might indicate zero-day exploitation
Endpoint Detection and Response (EDR): Monitors endpoint behaviour continuously, flagging activities that deviate from normal patterns

These tools won’t catch every zero-day exploit, but they significantly improve your chances of detecting and responding to attacks quickly.

Limit your attack surface

Reduce the opportunities for zero-day exploitation:

Disable unnecessary services and features
Uninstall software you don’t actively use
Close unused ports and protocols
Implement strict firewall rules
Restrict internet access to only what’s necessary

Every piece of software represents potential vulnerabilities. The less you run, the smaller your exposure.

Use virtual patching

When patches aren’t yet available, virtual patching provides temporary protection:

Web Application Firewalls (WAF): Can block exploit attempts targeting web applications, buying time until official patches are available
Network-based protection: IPS devices can implement rules to block specific exploit patterns once a zero-day becomes known, but before patches are deployed
Application isolation: Technologies like sandboxing and containerization limit what exploited applications can access

Virtual patching is a stopgap, not a permanent solution, but it’s valuable during the critical exposure window.

Monitor threat intelligence

Stay informed about emerging threats and vulnerabilities:

Subscribe to vendor security bulletins
Monitor sources like the NCSC Early Warning Service
Follow security researchers and organisations
Use threat intelligence platforms if appropriate for your organisation

Early awareness of disclosed zero-days, even before patches are available, allows you to implement compensating controls and prioritise response.

Implement network traffic analysis

Monitor network traffic for indicators of compromise:

Unusual outbound connections might indicate data exfiltration
Abnormal traffic patterns could signal malware communication
Unexpected protocols or ports may reveal exploitation attempts

Traffic analysis can detect zero-day exploitation based on behaviour rather than specific threat signatures.

Establish incident response procedures

You can’t prevent all zero-day attacks, but you can minimise their impact through rapid response:

Define clear incident response procedures
Establish communication protocols
Practice response through tabletop exercises
Ensure your team can quickly isolate affected systems
Maintain offline backups that can’t be encrypted by ransomware

Organisations with tested incident response plans contain zero-day breaches faster and with less damage.

Zero-day exploit protection for different organisation sizes

Large enterprises typically have dedicated security teams and can implement comprehensive zero-day protection strategies, including advanced threat detection, 24/7 monitoring, and dedicated threat intelligence.

Small and medium businesses often lack these resources, but aren’t immune to zero-day threats. Cost-effective approaches include:

Managed security services providing 24/7 monitoring and threat detection
Cloud-based security solutions with built-in threat intelligence
Automated patch management to minimise exposure windows
Outsourced penetration testing to validate defences
Cyber insurance to mitigate financial impact

You don’t need an enterprise budget to implement effective zero-day protection – you need the right combination of tools, processes, and expertise.

The reality of zero-day exploits

While zero-day exploits often dominate headlines, for businesses, it’s worth keeping a few things in mind:

Most attacks exploit known vulnerabilities: The majority of successful breaches leverage vulnerabilities that have been patched for months or years. Basic security hygiene prevents most attacks
Zero-day exploits are expensive: Developing and deploying zero-day exploits requires significant resources. Most organisations won’t be targeted by sophisticated zero-day attacks
Defence-in-depth works: Organisations with layered security controls significantly reduce zero-day impact even when exploitation occurs

The goal isn’t to achieve perfect protection against every possible zero-day exploit – that’s impossible. The goal is to make exploiting your organisation difficult and expensive enough that attackers move to easier targets, while having the detection and response capabilities to minimise damage if breaches occur.

OnSecurity’s penetration testing services validate your security controls and identify vulnerabilities before attackers exploit them. Our testing simulates real-world attack techniques, ensuring your defences work when it matters. Get an instant quote to enhance your security posture today.

Frequently Asked Questions

How common are zero-day exploits?

Zero-day exploits are relatively rare compared to attacks using known vulnerabilities. However, hundreds are discovered annually, with some actively exploited before patches become available.

Can antivirus software detect zero-day exploits?

Traditional signature-based antivirus software cannot detect zero-day exploits. However, modern endpoint protection using behavioural analysis and machine learning can sometimes identify zero-day attacks based on suspicious activity patterns.

Are zero-day exploits illegal?

Discovering vulnerabilities isn’t illegal, but exploiting them maliciously is. Many countries have laws against unauthorised computer access and damage. However, zero-day exploits are bought and sold on underground markets.

Should I worry about zero-day exploits as a small business?

While targeted zero-day attacks typically focus on high-value targets, widespread zero-day vulnerabilities (like Log4Shell) affect organisations of all sizes. Basic security practices provide significant protection regardless of organisation size.

Latest Articles

Case Studies

From Checkbox to Commitment: How Orkastrate Turned Annual Pentesting into a Security Habit

How Breef used OnSecurity to strengthen its security posture with speed and simplicity

From Engineering to Enterprise Security: How a Renowned Automotive Business Closed Critical Gaps with OnSecurity

Secure and Streamlined: Why Countingup Chooses OnSecurity for Annual Testing