Zero-day vulnerability

Many vulnerabilities are discovered by hackers or security researchers, who may disclose them to the vendor (often in exchange for a bug bounty) or sell them to states or criminal groups.

[2] An exploit is the delivery mechanism that takes advantage of the vulnerability to penetrate the target's systems, for such purposes as disrupting operations, installing malware, or exfiltrating data.

[6] Researchers Lillian Ablon and Andy Bogart write that "little is known about the true extent, use, benefit, and harm of zero-day exploits".

[27] Many organizations have adopted defense-in-depth tactics so that attacks are likely to require breaching multiple levels of security, which makes it more difficult to achieve.

[29] Since writing perfectly secure software is impossible, some researchers argue that driving up the cost of exploits is a good strategy to reduce the burden of cyberattacks.

[34][41] Despite calls for more regulation, law professor Mailyn Fidler says there is little chance of an international agreement because key players such as Russia and Israel are not interested.

[50] In 2007, former NSA employee Charlie Miller publicly revealed for the first time that the United States government was buying zero-day exploits.

[52] One of the most infamous vulnerabilities discovered after 2013, Heartbleed (CVE-2014-0160), was not a zero-day when publicly disclosed but underscored the critical impact that software bugs can have on global cybersecurity.

This flaw in the OpenSSL cryptographic library could have been exploited as a zero-day prior to its discovery, allowing attackers to steal sensitive information such as private keys and passwords.

[53] In 2016 the hacking group known as Shadow Brokers released a trove of sophisticated zero-day exploits reportedly stolen from the United States National Security Agency (NSA).

These included tools such as EternalBlue, which leveraged a vulnerability in Microsoft Windows' Server Message Block (SMB) protocol.

EternalBlue was later weaponized in high-profile attacks like WannaCry and NotPetya, causing widespread global damage and highlighting the risks of stockpiling vulnerabilities.

[55] In 2021 Chinese state-sponsored group, Hafnium, exploited zero-day vulnerabilities in Microsoft Exchange Server to conduct cyber espionage.

Known as ProxyLogon, these flaws allowed attackers to bypass authentication and execute arbitrary code, compromising thousands of systems globally.

[56] In 2022 the spyware Pegasus, developed by Israel's NSO Group, was found to exploit zero-click vulnerabilities in messaging apps like iMessage and WhatsApp.

These exploits allowed attackers to access targets' devices without requiring user interaction, heightening concerns over surveillance and privacy.

Vulnerability timeline
Comparing the average prices of different kinds of exploits, 2015–2022