What is a zero-day attack and how can you defend against one?

Zero-day vulnerability: A security flaw in software, hardware, or firmware that is unknown to the vendor responsible for fixing it. Because no patch exists, the flaw is exploitable from the moment it is discovered by an attacker.

Zero-day exploit: The specific technique, code, or method an attacker uses to take advantage of a zero-day vulnerability. A single vulnerability may have multiple exploits.

Zero-day attack: The real-world use of a zero-day exploit to compromise a target system, steal data, deploy malware, or achieve other malicious objectives before a patch is available.

A zero-day attack targets a software vulnerability that the software vendor and security community have not yet identified or patched. Because zero days have passed since the security flaw was detected by defenders, no signature-based defenses exist, and traditional antivirus tools cannot recognize the threat. This makes zero-day attacks among the most dangerous threats facing organizations today.

According to Google’s Threat Intelligence Group (GTIG), 75 zero-day vulnerabilities were actively exploited in the wild in 2024, down from 98 in 2023 but still above the 63 tracked in 2022. The data confirms that annual zero-day exploitation has stabilized at a persistently elevated baseline of 60–100 exploited vulnerabilities per year. Of the 75 zero-days exploited in 2024, 44% targeted enterprise products—up from 37% in 2023—with security and networking appliances such as VPNs and firewalls accounting for over 60% of enterprise-focused zero-day exploitation.

Separately, the Mandiant M-Trends 2025 report found that vulnerability exploits remained the most common initial infection vector for the fifth consecutive year, accounting for 33% of all intrusions investigated in 2024. These figures make clear that zero-day threats are not a niche concern reserved for nation-state targets—zero-day exploits are now a primary tool for breaching corporate and government networks alike.

A zero-day vulnerability is a security flaw in software that the vendor does not yet know about and has not patched. When a security researcher or attacker discovers such a vulnerability, the vendor has had “zero days” to develop a fix—hence the name.

Typically, when a researcher discovers a vulnerability, they alert the software vendor so a patch can be developed and distributed before attackers can exploit the flaw. Dedicated security researchers often cooperate with vendors and agree to withhold vulnerability details for an extended period to allow time for a patch. Once a zero-day vulnerability is publicly disclosed and a patch is available, it is reclassified as an “n-day” or “one-day” vulnerability.

Zero-day vulnerabilities take many forms: broken authentication mechanisms, command injection flaws, SQL injection weaknesses, path traversal issues, missing authorization controls, and unprotected open-source components. According to GTIG, the most frequently exploited zero-day vulnerability types in 2024 were use-after-free, command/code injection, and cross-site scripting—categories that can be reduced through higher coding standards, regular code reviews, and use of well-maintained libraries.

Zero-day attacks follow a sequence: an attacker discovers a vulnerability before the vendor, develops an exploit for that vulnerability, and deploys the exploit against target systems. Because security teams have no prior knowledge of the flaw, there is no patch, no signature, and no specific defense in place when the attack lands.

Historically, zero-day attacks often relied on email attachments and web browser vulnerabilities to deliver malicious payloads. In 2024, however, attackers increasingly targeted enterprise network-edge devices such as VPN gateways, firewalls, and managed file transfer (MFT) platforms. These internet-facing appliances often run with elevated privileges and provide direct access to internal networks, making a single zero-day exploit on one device a gateway to the broader enterprise environment.

The speed at which attackers weaponize disclosed vulnerabilities has also compressed dramatically. The Mandiant M-Trends 2026 report noted that the mean time-to-exploit dropped to approximately −1 day by 2024, meaning exploitation on average now begins before a patch is publicly available. VulnCheck’s first-half 2025 data corroborated this trend, finding that roughly 32% of exploited vulnerabilities showed evidence of exploitation on or before the day of CVE disclosure.

Zero-day vulnerabilities are valuable to a wide range of threat actors. A market exists for zero-day exploits across three tiers: a “white market” where organizations hire researchers to find and responsibly disclose vulnerabilities; a “grey market” where governments and defense contractors purchase exploits for intelligence or law enforcement purposes; and a “black market” where cybercriminals and nation-state actors trade exploit details without public disclosure.

Common targets for zero-day exploits include large enterprises, government agencies, critical infrastructure operators, defense contractors, financial institutions, healthcare organizations, and managed service providers (MSPs). State-sponsored espionage groups—particularly those attributed to China, Russia, and North Korea—have been among the most prolific users of zero-day exploits. According to GTIG, China-linked groups were responsible for nearly 30% of state-attributed zero-day exploitation in 2024. Additionally, commercial surveillance vendors (CSVs) continue to use zero-day exploits to target mobile devices on behalf of government clients.

Stuxnet remains one of the most consequential zero-day attacks in history. The malicious worm exploited four Windows zero-day vulnerabilities and spread via USB drives to infiltrate supervisory control and data acquisition (SCADA) systems. Stuxnet specifically targeted programmable logic controllers (PLCs) in Iran’s uranium enrichment facilities, causing centrifuges to malfunction and disrupting the country’s nuclear program. The attack demonstrated that zero-day exploits could cause physical damage to industrial infrastructure, fundamentally changing how governments and security professionals think about cyber warfare.

In May 2023, the Cl0p ransomware group exploited a zero-day SQL injection vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer platform. The MOVEit zero-day attack became one of the largest data breaches in recent history: according to tracking by cybersecurity firm Emsisoft, more than 2,700 organizations were compromised, and the personal data of approximately 93 million individuals was exposed. Victims spanned government agencies, financial institutions, healthcare providers, and major corporations including the BBC and British Airways. CISA and the FBI issued a joint advisory attributing the campaign to Cl0p and urging organizations to patch immediately.

In January 2024, Ivanti disclosed two chained zero-day vulnerabilities in its Connect Secure VPN appliances: CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection). Mandiant attributed initial exploitation to UNC5221, a suspected China-nexus espionage group that had been exploiting the flaws since at least December 2023. The attackers deployed custom malware including the ZIPLINE backdoor, WARPWIRE credential harvester, and multiple web shells to maintain persistent access. CISA issued Emergency Directive 24-01 requiring federal agencies to mitigate the vulnerabilities, and Volexity reported that exploitation became “widespread” globally within days of public disclosure, with over 1,700 appliances confirmed compromised.

In late 2024, attackers exploited a zero-day arbitrary file write vulnerability (CVE-2024-55956) in Cleo’s LexiCom, VLTrader, and Harmony managed file transfer products. The exploit allowed attackers to write malicious files into the application’s Autorun directory, which the software then automatically executed to download additional payloads. This attack followed a pattern established by the MOVEit and GoAnywhere MFT breaches, confirming that managed file transfer platforms remain a high-priority target for ransomware operators seeking mass data exfiltration.

Zero-day attacks are inherently difficult to detect because no known threat signature exists at the time of the attack. Signature-based antivirus software, intrusion detection systems (IDS), and intrusion prevention systems (IPS) cannot identify a zero-day exploit by matching it against a database of known threats.

The most effective approach to zero-day threat detection is behavioral analysis. Security tools that monitor for anomalous user and system behavior—rather than matching known signatures—can identify deviations from normal activity patterns that may indicate an active zero-day exploit. Organizations should combine multiple detection methods for a layered approach:

User and entity behavior analytics (UEBA): Establishes baseline behavior patterns for users and systems. Network activity outside these baselines—such as unexpected data transfers, privilege escalation, or lateral movement—can signal a zero-day compromise.

Machine learning-based detection: Machine learning models trained on historical system interaction data can identify anomalies that rule-based systems miss. As organizations collect more telemetry, ML-based detection becomes increasingly effective at flagging previously unseen exploit behavior.

Endpoint detection and response (EDR): Modern EDR solutions continuously monitor endpoint activity, correlate events across the kill chain, and surface suspicious process behavior—even when the underlying exploit is unknown. EDR provides the investigation and response capabilities that signature-based tools lack.

Threat intelligence feeds: While zero-day exploits are by definition unknown, threat intelligence can provide indicators of compromise (IOCs) from related campaigns, helping security teams detect zero-day attacks faster once initial exploitation is reported by the broader security community.

Since zero-day exploits target unknown vulnerabilities, prevention requires a defense-in-depth strategy that does not depend on prior knowledge of the specific threat. The following controls reduce risk exposure and limit the impact of a successful zero-day attack.

While patching cannot prevent a true zero-day exploit, aggressive automated patch management closes known vulnerabilities rapidly, reducing the overall attack surface and making it harder for attackers to chain zero-day exploits with n-day flaws. Security teams should aim to deploy critical patches within hours of release, not weeks.

Virtual local area networks (VLANs) segregate critical traffic and isolate high-value assets. If zero-day attackers breach the perimeter, network segmentation limits lateral movement and prevents access to the most sensitive data and systems.

Traditional signature-based antivirus is insufficient against zero-day threats. EDR and XDR solutions that use behavioral heuristics, AI-powered analysis, and real-time monitoring can detect malicious activity—such as process injection, credential harvesting, or unusual file system changes—even when the exploit itself is unknown.

IP security protocol (IPsec) encryption and authentication for critical network traffic prevents attackers from intercepting or manipulating data in transit, limiting the damage from a zero-day compromise.

Although IDS and IPS tools cannot detect unknown zero-day signatures, these systems may flag suspicious incoming traffic or anomalous file transfers as side effects of an active zero-day attack, providing early warning for incident response teams.

NAC policies restrict which devices can access critical network segments, denying rogue or unauthorized machines from reaching high-value targets and reducing the blast radius of a zero-day breach.

Continuous vulnerability scanning across all enterprise systems helps identify and remediate exploitable weaknesses before attackers find them. Many zero-day attacks also rely on social engineering to deliver the initial payload, so regular security awareness training reduces the risk of human-enabled compromise.

Acronis Cyber Protect Cloud integrates backup, disaster recovery, AI-powered anti-malware, and endpoint detection and response (EDR) into a single platform built for managed service providers (MSPs) and IT teams. This unified approach addresses zero-day threats across the full NIST security framework—identify, protect, detect, respond, and recover—from a single agent and console.

Acronis EDR uses AI-guided behavioral analysis to detect suspicious endpoint activity, including zero-day malware and ransomware that bypasses signature-based defenses. When a threat is detected, security teams can investigate and remediate with single-click response actions, including process termination, endpoint isolation, and integrated backup recovery to restore affected files.

Automated patch management within the Acronis platform identifies missing patches across operating systems and hundreds of third-party applications, deploys updates on schedule, and creates automatic image backups before patching to enable fail-safe rollback. This combination of rapid patching and pre-patch backup is critical for minimizing the window of exposure to both zero-day and n-day vulnerabilities.

• Zero-day attacks exploit software flaws unknown to the vendor, leaving no time for defenders to patch before the attack lands.

• Google GTIG tracked 75 zero-day vulnerabilities exploited in the wild in 2024, with 44% targeting enterprise technologies—especially VPNs, firewalls, and networking appliances.

• The mean time-to-exploit has compressed to the point where exploitation frequently begins before a patch is available, rendering traditional monthly patch cycles insufficient.

• Behavioral detection, EDR, network segmentation, and aggressive patch management form the core of an effective zero-day defense strategy.

• Acronis Cyber Protect Cloud provides integrated EDR, AI-powered anti-malware, automated patch management, and backup recovery in a single platform to help organizations detect, respond to, and recover from zero-day attacks.

A zero-day vulnerability is the underlying security flaw in software that the vendor does not yet know about. A zero-day exploit is the specific code or technique an attacker develops to take advantage of that vulnerability. The vulnerability is the weakness; the exploit is the weapon built to attack it.

Because no signature exists for a zero-day threat, detection relies on behavioral analysis, anomaly detection, and endpoint monitoring. EDR solutions, machine learning models, and user behavior analytics are the most effective tools for identifying zero-day attacks in progress.

Traditional signature-based antivirus cannot stop a zero-day attack, because the exploit has no known signature to match against. Modern endpoint protection solutions that use behavioral heuristics, AI-driven analysis, and real-time monitoring offer significantly better protection against zero-day threats than signature-only antivirus.

Zero-day exploits target large enterprises, government agencies, critical infrastructure operators, defense contractors, financial institutions, healthcare organizations, and MSPs. Nation-state espionage groups and financially motivated ransomware operators are the most prolific users of zero-day exploits.

Exploitation is accelerating. According to Google’s Threat Intelligence Group, the mean time-to-exploit reached approximately −1 day by 2024, meaning many vulnerabilities are exploited before a patch is publicly available. VulnCheck reported that roughly 32% of exploited vulnerabilities in the first half of 2025 showed exploitation evidence on or before the day of CVE disclosure.