What is zero-day vulnerability?

A zero-day vulnerability is a security flaw in software or hardware that is unknown to the vendor responsible for fixing it. The term refers to the number of days the vendor has had to address the problem, with zero meaning no patch exists at the time attackers discover and exploit it. Organizations running the affected software have no official fix available, and every system running that software remains at risk for as long as the vulnerability stays undisclosed or unresolved.

Understanding zero-day vulnerabilities

The Oxford Journal of Cybersecurity's peer-reviewed analysis of zero-day patching timelines describes a zero-day as a newly discovered vulnerability unknown to the affected vendor, one for which no security patch has been released. Once a vendor learns of a flaw, issuing a timely fix becomes urgent, given the risk that attackers will exploit the window between discovery and remediation. The research found that patch release time is influenced by factors including the vulnerability's scope, how many vendors and products it affects, and whether exploitation has already been observed in the wild, suggesting that proactive disclosure and broad impact accelerate vendor response.

A zero-day exploit is distinct from the vulnerability itself. The vulnerability is the flaw; the exploit is the tool or technique that takes advantage of it. As an empirical study of Zero Day Initiative disclosures published on arXiv explains, zero-days represent some of the most critical threats in cybersecurity precisely because affected systems remain defenseless during the exposure window, with no patch available to close the gap attackers walk through.

What makes zero-days particularly dangerous is their completeness as an attack vector. Standard security defense, endpoint protection, intrusion detection, and signature-based filtering are built around known threat patterns. A zero-day, by definition, has no known pattern yet. Security systems designed around known vulnerabilities cannot reliably detect exploits of vulnerabilities they have never seen.

Read also: What is ransomware?

The impact of zero-day vulnerabilities

Zero-day exploitation has grown into one of the primary mechanisms behind major breaches, particularly among well-resourced attackers. The Verizon 2025 Data Breach Investigations Report, based on analysis of over 22,000 incidents and 12,195 confirmed breaches, found that exploitation of vulnerabilities now accounts for 20% of all breach initial access vectors, a 34% year-over-year increase, driven in significant part by zero-day exploits targeting edge devices and VPNs. The targeting of edge infrastructure through zero-days grew almost eightfold in a single year, from 3% to 22% of all vulnerability exploitation breaches.

Google's Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in the wild in 2025, finding that enterprise-focused technologies reached an all-time high share of 48% of total zero-days, with security software and networking appliances accounting for the bulk of enterprise exploitation. The pattern shows a deliberate strategic shift: attackers increasingly target the security and connectivity infrastructure that sits at the perimeter of networks, because compromising a VPN gateway or firewall provides broader and more persistent access than compromising a single endpoint.

The financial consequences of zero-day exploitation compound over time. The IBM X-Force 2025 Threat Intelligence Index found that the global average cost of a data breach reached a record $4.88 million in 2024, with vulnerability exploitation as an initial access vector accounting for over a quarter of critical infrastructure attacks. In espionage-motivated breaches tracked in the Verizon 2025 DBIR, vulnerability exploitation was the initial access vector in 70% of cases, underscoring how heavily state-sponsored actors depend on zero-days for high-value intrusions.

For healthcare, the sector's combination of internet-facing systems, high email volume, and historically underfunded security infrastructure makes zero-day exposure a compounding risk. According to Paubox's 2025 Healthcare Email Security Report, many healthcare organizations rely on outdated or consumer-grade technology, leaving networks vulnerable precisely in the conditions that make unpatched systems an attractive target when a zero-day surfaces.

According to Paubox's 60% of healthcare orgs admit email security failure report, 73% of healthcare IT leaders expect breaches to increase in 2025, showing awareness that their current security posture leaves them exposed to fast-moving threats, including zero-day exploitation.

How zero-day vulnerabilities work

Zero-day exploitation follows a sequence that begins long before the vendor becomes aware of the problem. Attackers ,whether nation-state groups, organized criminal operations, or commercial surveillance vendors, identify a previously unknown flaw through their own research, through purchase on underground markets, or through reverse engineering of software updates that inadvertently reveal where previous vulnerabilities existed.

Once a viable exploit is developed, attackers can deploy it against any organization running the affected software. Because no patch exists, there is no automated remediation available. Organizations must rely on behavioral detection, network monitoring, and any available workarounds until the vendor releases a fix, and even then, the Verizon 2025 DBIR found that only 54% of perimeter device vulnerabilities were fully remediated within a year of discovery, with a median patching time of 32 days. That 32-day window is enormous against modern exploitation timelines. Separate research cited in the DBIR found the average time-to-exploit for newly disclosed vulnerabilities had collapsed to approximately five days in 2024, down from 32 days in prior years.

The CISA advisory on Ivanti CVE-2025-0282 illustrates the pattern in practice. The vulnerability was disclosed and patched in January 2025, however exploitation by a China-nexus espionage group had already begun before the patch was available. CISA later found that even after disclosure, attackers had deployed malware capable of erasing exploitation evidence and surviving a factory reset, meaning organizations that believed they had remediated the issue remained compromised. The Shadowserver Foundation identified 379 organizations with active backdoors from that single vulnerability.

Read more: Zero-day attacks are the latest threat to healthcare cybersecurity

Types of zero-day vulnerabilities

Zero-days affect a wide range of software and hardware categories, but recent years have seen a pronounced shift in targeting. Google GTIG's 2025 zero-day review identified enterprise software and appliances as the most heavily targeted category, accounting for 48% of all zero-days exploited in 2025. Within that category, security products, VPN gateways, and network appliances, such as Fortinet, Ivanti, Cisco, and similar vendors, drew the most sustained exploitation.

End-user platform zero-days, covering browsers, operating systems, and mobile devices, remain common but have declined as a share of the total as vendors have invested in exploit mitigation technologies. Browser-based exploitation fell to historical lows in 2025 according to Google GTIG, while operating system vulnerabilities increased, particularly those enabling privilege escalation that allows attackers to move from a low-privilege foothold to full system control.

Supply chain zero-days represent a growing subcategory where the vulnerability exists in a third-party component, an open-source library, a dependency, or an integrated module rather than in the vendor's own code. The Ivanti EPMM vulnerabilities disclosed in 2025 (CVE-2025-4427 and CVE-2025-4428) were linked to open-source libraries integrated into the product, illustrating how a single third-party dependency can introduce a zero-day across every product that uses it. The Verizon 2025 DBIR noted that breaches involving third parties doubled year-over-year to 30% of all cases, with zero-day exploitation of shared components a contributing factor.

Why zero-day vulnerabilities are harder to detect

Standard detection tools compare observed activity against known threat signatures. A zero-day exploit, having never been seen before, generates no signature. It can enter a network through a pathway that security tools have been told is legitimate, VPN authentication flow, a firewall management interface, or a remote access portal, because the tool is functioning as designed and the flaw has not yet been identified as a vulnerability at all.

Nation-state actors, who represent the most consistent zero-day developers and users according to Google GTIG's multi-year tracking data, deliberately engineer exploits to leave minimal forensic residue. The Ivanti zero-day campaign CISA investigated included a custom malware variant, SpawnSloth, that specifically tampered with device logs to erase evidence of exploitation, meaning standard log review would not reveal the compromise.

Commercial surveillance vendors compound detection difficulty further. Google GTIG found that commercial surveillance operators were increasingly improving their operational security practices in 2024 and 2025, leading to decreased attribution and detection. In 2025, commercial surveillance vendors overtook state-sponsored actors as the most attributed source of zero-day exploitation for the first time.

See also: ​​How to manage persistent threats and zero day vulnerabilities

Best practices for defending against zero-day vulnerabilities

No defense eliminates zero-day exposure entirely, but several practices reduce the window of risk and limit the blast radius when exploitation occurs. Prioritizing patch deployment speed is foundational. Given that the median remediation time for edge device vulnerabilities was 32 days in the Verizon 2025 DBIR, while average exploitation timelines have collapsed to under a week, organizations that patch within days rather than weeks materially reduce their exposure window.

Network segmentation prevents an attacker who exploits a perimeter device from immediately accessing the systems behind it. Least-privilege access controls limit what a compromised account or device can reach. Continuous monitoring of network traffic, authentication events, and edge device behavior provides the behavioral visibility that signature-based tools alone cannot deliver.

Vulnerability management programs should integrate threat intelligence that tracks which vulnerabilities are actively exploited in the wild, and which ones have been assigned high CVSS scores. The arXiv ZDI study found that severity scores do not always correlate with active exploitation risk, meaning organizations that prioritize purely on CVSS may deprioritize the exact vulnerabilities attackers are currently weaponizing.

For healthcare organizations, email remains the channel through which phishing campaigns gain the initial foothold that later enables exploitation of internal vulnerabilities. According to Paubox's 2026 Healthcare Email Security Report, phishing-driven mailbox takeovers exposed 630,000 individuals in 2025, providing the credential access that allows attackers to move toward vulnerable systems. Blocking phishing at the email layer with Paubox Inbound Email Security removes a primary delivery mechanism that zero-day campaigns depend on for initial network access.

Learn more: Paubox Inbound Email Security | Paubox 2026 Healthcare Email Security Report | Paubox 2025 Healthcare Email Security Report

In the news

In January 2025, CISA issued an emergency advisory warning that Ivanti Connect Secure VPN appliances were being actively exploited through a zero-day vulnerability, CVE-2025-0282, before a patch was available. CISA's investigation found that attackers, linked to a China-nexus espionage group, had deployed custom malware capable of harvesting credentials, creating unauthorized accounts, resetting passwords, and tampering with device logs to conceal the intrusion. Within weeks of the disclosure, the Shadowserver Foundation identified 379 organizations with active backdoors installed through the vulnerability. CISA advised organizations that had not yet patched to conduct full factory resets and treat any Ivanti device logs as potentially unreliable, a response that illustrated how fundamentally zero-day exploitation can undermine the assumption that security infrastructure is working as intended. Health-ISAC separately warned the healthcare sector about the campaign, citing the use of Ivanti appliances across hospitals and health networks.

Read more: The zero trust approach to managing cyber risk

FAQs

What is the difference between a zero-day vulnerability and a known vulnerability?

A known vulnerability has been publicly disclosed and typically has a CVE identifier and an available patch. A zero-day vulnerability is unknown to the vendor and has no patch at the time of exploitation. Attackers exploiting a zero-day face no race against a published fix, they operate in a window where every affected system is defenseless against that specific attack path.

Who discovers and uses zero-day vulnerabilities?

Security researchers, nation-state intelligence agencies, criminal organizations, and commercial surveillance vendors all discover and use zero-days. Google GTIG's 2025 analysis found commercial surveillance vendors overtook state-sponsored actors in attributed zero-day exploitation for the first time, showing how widely accessible these capabilities have become beyond traditional government programs.

Can patching software prevent zero-day attacks?

Patching addresses known vulnerabilities quickly, but it cannot prevent the exploitation of vulnerabilities the vendor has not yet discovered. Defense in depth network segmentation, behavioral monitoring, least-privilege access, and email security provide layers of protection that reduce exposure even when no patch exists.

How does zero-day exploitation affect healthcare organizations specifically?

Healthcare organizations often run internet-facing systems, including remote access gateways, patient portals, and email infrastructure. Vulnerabilities in these systems, particularly in widely used networking products, provide attackers with direct paths into networks holding protected health information. According to Paubox's 2025 Healthcare Email Security Report, many healthcare organizations rely on outdated technology that compounds their exposure to emerging vulnerabilities.

What should an organization do when a zero-day is disclosed affecting the software it uses?

Organizations should apply the vendor's patch immediately when available, implement any recommended workarounds in the interim, review behavioral logs for signs of prior exploitation, and isolate affected systems if active exploitation cannot be ruled out. CISA's Known Exploited Vulnerabilities catalog provides authoritative guidance on which vulnerabilities are actively being used against real targets and should be treated as a prioritization tool alongside standard CVSS scoring.