What is a Zero-Day Attack?

Zero-Day Attack Explained

A zero-day attack is a cyberattack that exploits a previously unknown vulnerability in hardware, firmware, or software before the vendor has released a patch. NIST defines a zero-day attack as "an attack that exploits a previously unknown hardware, firmware, or software vulnerability." The name reflects the core problem: developers have had zero days to fix the flaw when the attack occurs, leaving every system running the affected software exposed.

Zero-Day Vulnerability vs. Zero-Day Exploit vs. Zero-Day Attack

The term "zero-day" is often used loosely, but it encompasses three distinct concepts:

• Zero-day vulnerability. The unknown flaw itself, whether a buffer overflow, logic error, misconfigured access control, or other defect in software, firmware, or hardware. The vulnerability exists before anyone discovers it, but it becomes a zero-day in security terminology when someone (researcher or attacker) identifies it before the vendor does.

• Zero-day exploit. The code, technique, or sequence of inputs an attacker develops to take advantage of the vulnerability. Exploits may be sold on underground markets or through legitimate vulnerability brokers. Once the vendor issues a patch, the exploit is no longer classified as a zero-day exploit.

• Zero-day attack. The real-world deployment of the exploit against a target. This is where organizational damage occurs: data exfiltration, ransomware deployment, lateral movement, or persistent access. A zero-day attack may target a single organization (in the case of an advanced persistent threat operation) or thousands of victims simultaneously through mass exploitation campaigns.

How Zero-Day Attacks Work

Zero-day attacks follow a general progression from discovery to exploitation:

1. Discovery. A threat actor identifies a vulnerability that the vendor and security community do not know about. Discovery may happen through reverse engineering, fuzzing, source code analysis, or purchasing vulnerability information from brokers.

1. Exploit development. The attacker builds a working exploit that triggers the vulnerability reliably. This step ranges from trivial (a single crafted HTTP request) to complex (multi-stage chains bypassing memory protections).

1. Delivery. The exploit reaches the target through a delivery vector: a phishing email with a weaponized attachment, a compromised website (drive-by download), a malicious software update (supply chain attack), or direct exploitation of an internet-facing application (MITRE ATT&CK T1190).

1. Execution and post-exploitation. Once the exploit fires, the attacker establishes persistence, moves laterally, or deploys payloads. The window between initial exploitation and vendor patch release is the period of maximum risk.

Why Zero-Day Attacks Bypass Traditional Defenses

Signature-based detection tools, including antivirus engines, secure email gateways, and network intrusion detection systems, work by matching traffic or files against databases of known indicators of compromise. By definition, no signature exists for a zero-day vulnerability. This creates a detection gap that persists until the vulnerability is publicly disclosed and assigned a Common Vulnerabilities and Exposures (CVE) identifier.

Sandbox technology can catch some zero-day exploits by observing malicious behavior during detonation, but advanced exploits use sandbox evasion techniques (delayed execution, environment fingerprinting, user interaction checks) to avoid triggering analysis environments. Polymorphic attacks compound the problem by altering their code with each delivery, making hash-based detection unreliable even after initial discovery.

For email-borne zero-day threats, the gap is particularly acute. Phishing kits can incorporate zero-day exploits into attachments or landing pages, and no content filter will flag what it cannot recognize.

Zero-Day Attack Protection from IRONSCALES

IRONSCALES detects zero-day email threats through behavioral AI and crowdsourced threat intelligence from over 17,000 organizations, identifying anomalous message patterns and malicious intent without relying on signature databases.

Related Terms

• Common Vulnerabilities and Exposures (CVE)
• Sandbox
• Indicators of Compromise
• Phishing Kits
• Advanced Persistent Threat