Zero-day attacks

Feeling vulnerable

A zero-day vulnerability is a security flaw found in software or hardware that is discovered by an attacker before the vendor has identified and issued a patch for it. These vulnerabilities are coined “zero day” because vendors and developers have zero days to prepare for and address the security flaw before hackers are able to exploit it.

A zero-day exploit describes the code or technique used to take advantage of the zero-day vulnerability. Google Threat Intelligence Group tracked 75 zero-day exploited vulnerabilities in 2024, a 19% increase from 2022.

Sneak attack

A zero-day attack describes the actual cyberattack that is derived from the zero-day vulnerability and exploit. Some notable examples of zero-day attacks in past years include the Stuxnet attack in 2010, the Sony Pictures Entertainment attack in 2014, and the MOVEit breach in 2023, the latter of which impacted more than 60 million people.

Cybersecurity researchers recommend organizations protect themselves from zero-day attacks by limiting their attack surface, taking measures like removing unnecessary software and system accounts.

Market mover

The market for zero-day exploits is a lucrative one for cybercriminals looking to sell them and bug bounty hunters looking to discover them on behalf of companies. In 2024, Crowdfense, a research hub for zero-day exploits, said it would pay between $5 million and $7 million for iPhone zero-days.

Government agencies may choose to buy and stockpile zero-days for espionage and offensive cyber operation purposes. However, this practice is controversial because it delays vulnerabilities from being remediated, potentially putting people at risk.

Government-backed groups and commercial surveillance vendors accounted for 50% of the attributed vulnerabilities.