What is a Zero-Day Vulnerability? Definition & Risks

The unpatched flaw the vendor doesn't know about yet, which is why traditional defenses can miss it long before any fix exists.

Talk to our experts

See how it works

Last Updated date: January 2026

A zero-day vulnerability is a security flaw in software, hardware, or firmware that's unknown to the vendor, which means no patch exists at the time attackers begin exploiting it. The name reflects the reality: developers have had zero days to respond. Because no official fix is available, even fully updated systems can be compromised.

Quick Summary

Quick Summary
Field	Detail
Category	Threat Intelligence / Vulnerability Management
Related to	Zero-day exploit, patch management, CVE, threat detection
Primary use	Describes unpatched flaws actively exploitable before vendor awareness
Key risk	Traditional signature-based defenses cannot detect what is unknown

Why Zero-Day Vulnerabilities Are a High-Priority Threat

Zero-day vulnerabilities represent the riskiest category of security flaw because the window between discovery and exploitation can stretch from days to months to even years, with defenders having no awareness during that entire period.

For organizations operating under compliance frameworks like SOC 2, HIPAA, and ISO 27001, a zero-day attack can trigger a reportable breach event with no prior indication of risk. Unlike known CVEs that patch management programs address, zero-days bypass those controls entirely.

This makes them especially dangerous for industries handling sensitive identity data like financial services, healthcare, and critical infrastructure, where a single compromise can cascade across interconnected systems.

How a Zero-Day Attack Unfolds

Zero-day attacks follow a predictable progression once a flaw is discovered:

Discovery:
An attacker (or researcher) finds an unknown flaw in software, firmware, or hardware.
Weaponization:
A zero-day exploit is built: code or a technique specifically designed to trigger the vulnerability.
Deployment:
The exploit is used in a targeted attack, often delivered via phishing, malicious documents, or supply chain compromise.
Dwell time:
The attacker operates undetected. Average dwell time before detection can exceed 200 days.
Disclosure:
The vendor learns of the flaw (via internal discovery, a security researcher, or post-breach forensics) and begins developing a patch.
Patching:
A fix is released. Once patched and publicly disclosed, the flaw is no longer a "zero-day."

The most dangerous phase is Steps 3 to 5: attackers with active access and no defenders aware of the entry point.

The Three Forms Zero-Days Take

Zero-day vulnerabilities appear across three layers of the technology stack:

Software vulnerabilities are the most common, including bugs in operating systems, browsers, productivity suites, or enterprise applications (for example, the 2021 Chrome V8 JavaScript engine flaw that allowed remote code execution).

Firmware vulnerabilities affect device-level code in routers, IoT devices, and hardware controllers. These are harder to patch because firmware updates require physical or out-of-band processes, and many devices run unmanaged in corporate environments.

Hardware vulnerabilities affect chip-level architecture. Examples include the Spectre and Meltdown class of flaws, which required microcode patches and, in some cases, hardware replacement, on a timeline measured in months, not days.

The Identity Security Connection

Zero-day vulnerabilities become significantly more damaging when attackers gain access to privileged identities. A single exploited endpoint is a foothold. But access to an admin account or service credential turns that foothold into a full breach.

Identity governance and access management controls directly limit blast radius:

Least privilege enforcement
makes sure that even a compromised account has minimal access.
Access certification campaigns
surface over-provisioned accounts before attackers can abuse them.
Non-human identity (NHI) controls
govern service accounts and API tokens, which are frequently targeted in zero-day attacks because they're often over-privileged and rarely audited.
Behavioral anomaly detection
in IAM platforms can flag unusual access patterns even when the entry vector (the zero-day exploit itself) is invisible to signature-based tools.

No identity governance platform prevents a zero-day from existing. But a mature IGA program makes sure that when one is exploited, attackers run into least-privilege guardrails at every subsequent step.

Key Benefits of Pairing IGA with Zero-Day Defense

Reduced blast radius:
Least-privilege access limits what a compromised account can reach.
Faster containment:
Real-time access visibility enables rapid account suspension when anomalies are detected.
Audit-ready posture:
Access logs and certification records satisfy breach notification requirements even when the initial vector was unknown.
Service account governance:
Closes a common zero-day escalation path: over-privileged non-human identities.
Privileged access controls:
PAM integrations add session monitoring and just-in-time access on top of IGA policies.

Zero-Day Exposure by Industry

Financial Services
Banks and trading platforms are high-value targets for state-sponsored zero-day campaigns. Regulators like the OCC and FFIEC expect documented access controls and rapid incident response. IGA platforms that automate access review cycles are a core control in this context.

Healthcare
Electronic health record (EHR) systems and connected medical devices present a large, heterogeneous attack surface. Zero-days in medical device firmware are particularly difficult to patch quickly because of FDA approval requirements. Least-privilege identity governance limits the damage when a device is compromised.

Manufacturing & Critical Infrastructure
Operational technology (OT) environments run legacy systems that may never receive patches. The Stuxnet worm, one of the most cited zero-day attacks in history, targeted industrial control systems precisely because they operated in assumed-isolated environments with no identity controls.

Zero-Day vs. Known Vulnerability: What's the Difference?

Micro-summary: A zero-day is unknown to the vendor; a known vulnerability has a published CVE and (usually) an available patch.

Factor	Zero-Day Vulnerability	Known Vulnerability (CVE)
Vendor awareness	None	Publicly disclosed
Patch available	No	Usually yes
Detection by signature tools	Unlikely	Possible
Exploitability timeline	Immediate (if discovered by attacker)	Narrows as patch adoption lags
Identity risk	Extreme — no detection signal	Managed — patch deployment is measurable

The gap between patch release and patch deployment is where known vulnerabilities behave like temporary zero-days. Organizations with poor patch management can remain exposed for months after a CVE is published.

Reducing Zero-Day Risk: A Practical Approach

No single control eliminates zero-day risk. Effective mitigation is layered:

Enforce least privilege across all identities, including human, service, and machine accounts.
Run continuous access certification to remove dormant accounts and excessive permissions before attackers can abuse them.
Deploy behavior-based detection: tools that detect anomalous access patterns, not just known-bad signatures.
Segment networks and identity scopes to limit lateral movement if an endpoint is compromised.
Govern non-human identities. Service accounts and API keys are a common zero-day escalation path, so audit them regularly.
Apply patches rapidly. Once a zero-day is disclosed and patched, delay creates unnecessary exposure.

Common Challenges

Detection gap:
Because zero-day exploits are unknown, endpoint detection tools relying on signatures can't identify them until post-disclosure. Behavioral analytics and identity anomaly detection are the primary compensating controls.

Patch lag:
Even after a patch is released, enterprise patch cycles can stretch weeks. Large organizations with complex environments are exposed during this window, sometimes for longer than the zero-day exploitation period itself.

Supply chain complexity:
Many zero-day attacks target third-party software embedded in enterprise systems. Vendors may not disclose flaws promptly, which leaves customers unaware of exposure.

Frequently Asked Questions

A vulnerability is a zero-day when the vendor has no knowledge of it and therefore no patch exists. Once the vendor is notified and releases a fix, the flaw is no longer technically a zero-day, though unpatched systems remain at risk.

Traditional signature-based antivirus can't detect zero-day exploits because no signature exists for an unknown attack. Modern endpoint detection and response (EDR) tools use behavioral analysis to identify suspicious activity patterns, which can sometimes catch zero-day exploitation in progress.

Attackers discover them through their own research, purchase them on exploit brokers or dark web markets, or acquire them through state-sponsored hacking programs. Some zero-days sell for millions of dollars because of their rarity and effectiveness.

An identity governance platform doesn't prevent the exploit itself, but it limits what attackers can do after entry. Least-privilege policies, access certifications, and privileged access controls make sure that a compromised endpoint doesn't translate into unrestricted access across the organization.

A zero-day vulnerability is the underlying flaw. A zero-day exploit is the specific code or technique an attacker builds to weaponize that flaw. A vulnerability can exist without an exploit. Once an exploit is created, the risk escalates significantly.

Some zero-days are exploited for months or years before discovery. Google Project Zero research has found that the median time between a zero-day being introduced and being discovered can exceed 1,000 days.