Zero-Day Vulnerability.

A zero-day vulnerability gets its name because defenders have had "zero days" to prepare a fix when it surfaces. Such flaws are highly prized: governments, exploit brokers, and criminal groups pay six- and seven-figure sums for working exploits, and APT actors use them for stealthy intrusions.

Two cases show the spectrum. Stuxnet (2010) chained four previously unknown Windows zero-days — including the LNK shortcut flaw CVE-2010-2568 — to spread offline and sabotage Iranian uranium centrifuges. FORCEDENTRY (CVE-2021-30860), patched by Apple in September 2021, was a zero-click integer-overflow in the CoreGraphics image parser that NSO Group's Pegasus used to compromise iPhones with no user interaction at all. Google's Threat Analysis Group has tracked record numbers of zero-days exploited in the wild in recent years, the majority in browsers, mobile OSes, and security appliances.

Defending against zero-days relies on layered controls: exploit mitigations (ASLR, CFG/CET, sandboxing), behavioural EDR/XDR detection of post-exploitation activity, network segmentation, virtual patching via WAF/IPS, and rapid coordinated disclosure once researchers find them. Once a vendor ships a fix, the issue becomes an n-day vulnerability — still dangerous until everyone patches.

flowchart LR
  A[Flaw exists, vendor unaware] --> B[Attacker discovers it]
  B --> C[Weaponise into exploit]
  C --> D[In-the-wild exploitation]
  D --> E[Vendor learns of attacks]
  E --> F[Patch released]
  F --> G[Now an n-day vulnerability]