What Is a Zero-Day Threat? [Complete Guide 2024]

Updated on: April 22, 2024
Ben Martens Ben Martens
Updated on: April 22, 2024

Short on time? Here’s how to stay protected against zero-day attacks in 2024:

Zero-day attacks are really complicated, but staying safe online is actually pretty simple. Here’s what you should do to keep your device safe from zero-days and exploit attacks in 2024:

  • Use antivirus software — Antivirus suites like Norton 360 include real-time malware protection, web shields to block dangerous websites and exploit attacks, firewalls to keep your network secure, and much more.
  • Keep your software up-to-date — Set your programs to auto-update and make sure you install updates as soon as they’re available. Avira antivirus even includes a vulnerability scanner that flags out-of-date software.
  • Be cautious on the internet — Avoid sketchy links, only navigate to secure websites (look for the lock symbol in your address bar and https instead of http), and consider using an internet security suite that can flag and block unsafe websites (Bitdefender has one of my favorite web shields on the market).
  • Test your browser — WICAR.org hosts a test page with a lot of common exploit attacks. If your browser is failing to block the test exploits on WICAR, you need to get an internet security program with an effective web shield.

Zero-day exploits take advantage of a software vulnerability that the software’s developer hasn’t patched. Zero-day exploits aren’t malware, but hackers use zero-days to install malware on user devices without alerting a user’s built-in protections. To illustrate — if exploits are like a lock-picking tool, then malware is the crime committed after somebody has picked the lock and walked through the door.

There is a growing industry based around finding zero-day vulnerabilities, developing exploits that attack these vulnerabilities, and selling those exploits for huge profits. And developers are also spending millions to find vulnerabilities in their software and patch them before any attacks can occur.

Zero-days are usually deployed in high-profile hacks against massive corporations, or in the actions of governments against rival nations or their own citizens, but exploits are also used to hack users with out-of-date software every day.

What Are Zero-Day Vulnerabilities & Exploits?

What Are Zero-Day Vulnerabilities & Exploits?

Vulnerabilities are software processes that can be exploited by hackers to force a program to perform unintended behavior (like a browser giving hackers access to your webcam). Every piece of software contains vulnerabilities, and oftentimes the vulnerabilities only reveal themselves to ingenious hackers and researchers after months (or even years) of experimentation.

If the developer doesn’t know about a vulnerability, then it’s a zero-day.

Zero-day vulnerabilities are precious commodities — hackers want them so they can design exploits to attack defenseless software, while developers want to find out about them before their software is compromised. Many hackers make a living by hunting down zero-days and selling them to brokers online, who then go on to sell these vulnerabilities off to the highest bidder.

An exploit is a tool designed to attack a software vulnerability — an exploit could be a piece of data or a series of commands that force any software to behave in an unusual way, usually for hacking purposes. Developers fight exploits by creating security patches and updates to close the vulnerabilities in their software — but they can’t patch a vulnerability which they know nothing about.

Zero-day exploits are the most dangerous form of exploit, because there’s no protection against them — they attack vulnerabilities that haven’t been patched by developers.

How Does a Zero-Day Exploit Work?

How Does a Zero-Day Exploit Work?

In general, every exploit attack is a 5-step process. The steps include:

  1. Scanning new software and updates for vulnerabilities.
  2. Identifying vulnerabilities.
  3. Writing a targeted zero-day exploit code.
  4. Infiltrating devices running the vulnerable software.
  5. Launching the zero-day attack.

Developers and hackers are in a constant race to discover vulnerabilities. They search for vulnerabilities using a variety of techniques that require an advanced knowledge of coding, such as static program analysis, code auditing, reverse engineering, and fuzzing (yes, that’s what it’s called).

When a security researcher (or just a decent human being) finds a vulnerability, they immediately report it to the developer, who is then able to implement a patch and release that patch as an update.

However, when malicious hackers find zero-day vulnerabilities, they set about designing exploits to take advantage of those vulnerabilities. You won’t see the zero-day widely publicized (even on the dark web) because the power of a zero-day lies in its secrecy.

Zero-day exploits have been used by governments to spy on journalists, to sabotage nuclear enrichment facilities in Iran, to steal valuable data from movie studios, and of course to install malware payloads on millions of user devices. Once an exploit has been discovered by the developer (usually once an attack has taken place, or once the exploit has grown in popularity), the developer issues a patch to close up the software vulnerability, and the exploit ceases to be a zero-day.

So, How do Exploit Attacks Work? What’s an Exploit Kit?

How Does a Zero-Day Exploit Work?

Unfortunately, even known vulnerabilities (which have been patched) can be taken advantage of when users haven’t updated their software — with billions of internet-connected devices around the globe, there’s a significant percentage of users with exploitable vulnerabilities. Hackers know there are millions of users that haven’t downloaded the latest patch for Adobe Reader, or Chrome, or for a particular browser extension. It’s just a matter of finding your victims.

Hackers bundle multiple exploits into exploit kits, which can target a variety of vulnerabilities in browsers, extensions, operating systems, routers, file formats (like .pdf), or popular software like Adobe Reader (one of the most famous exploits in recent history targeted the iMessage software built into all iOS products). These kits are bought and sold on the dark web, where a thriving market of hackers, governments, and security researchers compete to be at the cutting-edge of cybersecurity.

Exploit kits are distributed by a variety of methods, such as pop-up advertisements, malicious links, pirated software, spear-phishing emails containing malicious attachments, or even network intrusion.

Once a user is compromised by any of these techniques, the exploit kit activates and starts scanning the user’s device for unpatched vulnerabilities. If the kit discovers a vulnerability, then it runs the exploit, allowing hackers to install malware, crash devices, or steal information.

For example — you receive an email that appears to be from a trusted source, which says, “Click on this link”. You click on the link and you’re taken to a clearly untrustworthy website packed with banner ads and pop-ups. The exploit kit on the site is automatically checking your browser and all of your extensions looking for vulnerabilities it can exploit. In a couple of seconds, the exploit kit finds you’re using an out-of-date version of Java. The kit then runs the exploit that attacks Java, giving the hacker the ability to install malware on your device just because you navigated to the website. You didn’t need to download anything, the exploit kit did all the work.

Famous Examples of Zero-Day Exploits

Famous Examples of Zero-Day Exploits

Over the years, there has been a sharp rise in the number of zero-day attacks. Multi-billion dollar corporations and technologically advanced governments have perpetrated these attacks and they have also been the victims of zero-day exploits. Here are 3 of the most high-profile zero-day attacks of the last decade.



is a malicious worm designed to cause malfunction in the industrial SCADA computers, which are in charge of systems like traffic infrastructure, waste management, and power plants. Specifically, Stuxnet is designed to attack the Siemens PLC computers connected to gas centrifuges, which are necessary for uranium enrichment.

In 2010, Stuxnet made a huge impact, damaging valuable centrifuges primarily in Iran, but also in Indonesia, India, and dozens of other countries. While it’s never been officially acknowledged, it’s widely understood that the US and Israel were behind this unprecedented industrial malware sabotage.

The Stuxnet worm was installed via USB drives, bypassing Windows and Siemens anti-malware scanners by taking advantage of 4 separate zero-day vulnerabilities in both Windows and Siemens PLC computers. Without these zero-days, the worm would have been blocked by Windows the moment the USB drives were installed in the targeted computers.

Stuxnet is still an object of fascination in the cybersecurity community, because it encompasses worms, zero-days, rootkits, and man-in-the-middle attacks within a single piece of extremely advanced malware that was able to cause physical damage to real-world industrial machinery. There have been numerous examples since of malware designed to target real-world industrial operations.


According to research published in late 2020, hackers exploited a zero-day vulnerability in iMessage that allowed them to install the Pegasus spyware through a “zero-click” attack.

Pegasus allowed users remote access to iOS and Android devices, enabling them to take photos, steal data, and even listen to encrypted calls on apps like Signal and WhatsApp. The spyware was installed by exploiting a vulnerability in iMessage, which isn’t as securely sandboxed as most iOS apps.

According to reports, hackers (probably controlled by Saudi Arabia and the UAE) were able to exploit this vulnerability and install Pegasus on numerous devices used by Al Jazeera journalists.

Following these reports, Apple issued a patch that closed the iOS vulnerability. Users with iOS 14 or later are protected from this type of zero-click attack.

Equifax Breach

In March of 2017, Adobe released a patch for its Adobe Struts software, which is used for networking in large-scale enterprises. This patch closed a major vulnerability in Struts. However, the massive US credit conglomerate Equifax failed to install the update to its systems, allowing hackers to trawl its systems for data from May to July 2017.

This attack released information on almost 150 million US users, including social security numbers, addresses, credit scores, and other private information. It’s considered one of the most impactful data breaches of all time, and the hackers didn’t even need to deploy a zero-day exploit to pull it off.

The Equifax breach is a stark example for everyone that it’s crucial to keep all of your software up to date. If Equifax had installed the Adobe Struts patch in March, its network would have been completely protected and no user information would have been breached.

How to Stay Protected Against Zero-Day Exploits

How to Stay Protected Against Zero-Day Exploits

Everyday users can’t do very much to prevent the spread of zero-days, but there are a few things you can do to keep your devices as safe as possible from malware, data breaches, and network intrusion in 2024:

  • Use antivirus software — The best antivirus suites on the market provide a wide variety of features to protect your device. Products like Norton 360 and McAfee use tools like behavior analysis, machine learning, and massive malware databases to identify threats on your device in real-time. Plus, tools like dark web monitoring, firewalls, and vulnerability scanners can help you keep track of breached data, network intrusion, and also to keep all of your software up to date.
  • Keep your software up-to-date — Don’t be like Equifax. Software updates are frequently issued to patch newly discovered security vulnerabilities. You can’t protect yourself from zero-days, but thanks to the hard work of coders and security researchers around the globe, security patches are constantly being issued, sometimes even before a vulnerability is disclosed to the public. Exploit kits usually target known vulnerabilities, so it’s essential that you keep your OS, programs, applications, and extensions updated.
  • Be cautious on the internet — Most malware attacks and exploit attacks occur due to some level of user error. Malspam and spear-phishing depend on users downloading or opening unsafe files, while many suspicious websites host advanced exploit kits that can target your device. Public Wi-Fi can also be a source of danger. Never click on a link or an attachment from an untrusted source and always do your best to confirm that a file or link is safe before you try to access it.
  • Test your browser — You can test your browser on WICAR.org, which has many known ways of attacking browsers, specifically targeting weaknesses in programs like Adobe Flash, Javascript, Firefox, and Chrome.To do that, visit the WICAR website and click on the different options on its “Testing” page. If you can navigate to any of their test pages, it’s time to update your browser and security software.

Frequently Asked Questions

What are zero-day threats?

Zero-day threats are brand new cyberattacks that either A) exploit software vulnerabilities which developers are unaware of, or B) utilize new malware code that isn’t recorded in any malware database. The term “zero-day” refers to the amount of time developers have had to update their protections — because zero-days are brand new, developers have had zero days to study them and devise a solution.

The majority of zero-day attacks that we hear about in the news are zero-day exploits. Exploit attacks target unintended bugs and weaknesses in software — they frequently target browsers and other web-facing tools (like JavaScript, Adobe Flash, or CSS), which are easier for hackers to access. Hackers use exploits to gain access to a system, at which point they can install malware, sabotage a system, steal data, or initiate a man-in-the-middle (MITM) attack.

Once a zero-day has been deployed, it becomes a known exploit which developers can protect against with patches and software updates — so zero-days are usually deployed in high-profile attacks against extremely lucrative targets. Both zero-day malware attacks and exploit attacks are fairly uncommon, but zero-day exploits have been happening more frequently in recent years. Machine learning-based anti-malware detection (like Norton uses) is designed to detect zero-day malware threats.

Is there a difference between zero-days and exploits?

Yes. Zero-days are simply exploit attacks that nobody has seen before. The moment a zero-day attack occurs, the exploit that was utilized in the attack becomes a known exploit, and developers set about patching the vulnerability that was targeted by the zero-day.

Once a patch is issued in a software update, users with up-to-date software can’t be targeted by exploits that target the patched vulnerability.

Exploits are a lot more common than zero-days, and they’re still a huge problem online because so many users fail to update their software.

What are some real-world examples of zero-day attacks?

There have been quite a few notable instances of zero-days in the last decade, including:

  • Stuxnet malware. This spy-movie caliber attack targeted uranium-enrichment centrifuges in Iran by exploiting multiple zero-days in Windows and Siemens industrial computers.
  • Pegasus malware. This terrifying malware was deployed by multiple oppressive regimes (probably Saudi Arabia and the UAE) to spy on journalists at Al Jazeera.
  • Equifax breach. Ironically, this breach wouldn’t have happened if Equifax had kept its software up-to-date. One of the largest breaches in hacker history, it exploited a vulnerability in the Adobe Struts application that had been patched months before the breach occurred.

How to prevent zero-day attacks?

Unfortunately, there isn’t a lot you can do to prevent zero-days, because they are, by definition, an unknown threat. However, there are a few pretty simple steps you can take to make yourself as safe as possible:

  • Install internet security software. Premium antiviruses like Norton use machine learning to detect and prevent zero-day threats.
  • Keep your software up to date (especially your browser).Most exploit attacks target known vulnerabilities that have already been patched. You can’t get hacked by an exploit which your software has been patched against.
  • Avoid sketchy websites. Pirate websites, porn websites, unsecured websites (look for the “lock” symbol in your browser’s address bar), phishing sites, and even many shopping sites can be vectors for malware and exploit attacks.
  • Test your browser with WICAR. If you want to make sure your browser is up to date, then click around WICAR’s “Testing” page. If you get compromised by one of WICAR’s exploits, it will harmlessly open the calculator on your PC.
The listings featured on this site are from companies from which this site receives compensation and some are co-owned by our parent company. This influence: Rank and manner in which listings are presented. 
Learn more
About the Author
Ben Martens
Ben Martens
Senior Editor
Updated on: April 22, 2024

About the Author

Ben Martens is a former cybersecurity journalist for SafetyDetectives with a background in internet ethics, malware testing, and public policy. He resides in Oregon, and when he's not advocating for the rights of internet users, he's walking with his dog and inventing stories with his daughter.