How Zero-Day Exploits Work—and Why They Cost Millions
Zero-day exploits target software flaws unknown to vendors, leaving no time to patch. This explainer covers how they are discovered, weaponized, traded on shadowy markets, and ultimately defended against.
The Flaw Nobody Knows About
Every piece of software ships with bugs. Most are harmless. But occasionally a flaw exists that lets an attacker bypass security, steal data, or seize control of an entire system—and nobody on the defending side knows it is there. That flaw is called a zero-day vulnerability, and the code written to exploit it is a zero-day exploit. The name refers to the fact that the software vendor has had zero days to fix the problem because they do not yet know it exists.
Zero-days sit at the top of the cybersecurity threat hierarchy. Unlike known vulnerabilities, which can be patched, a zero-day offers attackers a window of opportunity with no immediate defense. According to Google's Threat Intelligence Group, 90 zero-day vulnerabilities were exploited in the wild in 2025 alone—up from 78 the previous year.
How a Zero-Day Is Born
The lifecycle begins during software development, when a coding error, design flaw, or oversight creates an exploitable weakness. The vulnerability may lie dormant for months or years until someone discovers it. That someone can be a security researcher, an automated scanning tool, or a malicious hacker.
What happens next depends on who finds it first. The lifecycle unfolds in six stages:
- Introduction — A flaw is inadvertently coded into the software.
- Discovery — A researcher or attacker identifies the weakness.
- Exploitation — If attackers find it first, they build and deploy an exploit before anyone else knows.
- Disclosure — The flaw is reported to the vendor (responsible disclosure) or exposed publicly.
- Patch release — The vendor develops and publishes a security update.
- Patch adoption — Organizations test and deploy the fix across their systems.
The gap between introduction and widespread patching—known as the vulnerability window—averages roughly 312 days, according to security research by Oligo. Even after a patch is released, organizations typically take 60 to 150 days to deploy it, leaving a long tail of exposure.
Who Buys and Sells Zero-Days
A thriving market exists for zero-day exploits, spanning legitimate brokers, governments, and criminal underground forums. Prices reflect the target's value and the exploit's reliability. A zero-click exploit capable of compromising an iPhone—requiring no user interaction at all—can fetch up to $7 million, according to pricing published by broker Crowdfense. Android equivalents command up to $5 million. Even a browser or email exploit can be worth $500,000.
Buyers include intelligence agencies seeking surveillance tools, commercial spyware vendors building products like Pegasus, and cybercriminal syndicates. Google's 2025 review found that commercial surveillance vendors surpassed traditional state-sponsored groups as the most prolific users of zero-days, while China-linked groups remained the most active among nation-state actors.
Why Traditional Defenses Fail
Conventional antivirus and intrusion-detection systems rely on signatures—known patterns of malicious code. A zero-day, by definition, has no signature yet. This makes it invisible to traditional scanners. Attackers prize zero-days precisely because they bypass the defenses organizations trust most.
The shift toward enterprise targets compounds the problem. In 2025, 48 percent of exploited zero-days targeted enterprise technologies—security appliances, VPNs, and networking equipment—which often lack the endpoint-detection tools installed on laptops and desktops.
How Organizations Fight Back
Since zero-days cannot be patched before they are known, defenders rely on layered strategies:
- Bug bounty programs — Companies like Google, Apple, and Microsoft pay security researchers to find and report flaws before criminals do. Google's Project Zero popularized the 90-day disclosure deadline, giving vendors a fixed window to patch before a vulnerability is made public.
- Behavioral detection — Instead of matching signatures, advanced security tools monitor for unusual behavior—unexpected network traffic, abnormal process execution, or privilege escalation—that may signal an unknown exploit.
- Zero-trust architecture — By verifying every user and device at every access point, organizations limit the damage an attacker can do even after breaching one system.
- Rapid patching — Shortening the gap between patch release and patch adoption remains one of the most effective—and most neglected—defenses.
Zero-day exploits will never disappear entirely. As long as humans write code, flaws will exist. The race between attackers who discover them and defenders who patch them defines the frontline of modern cybersecurity—a contest measured not in months, but in hours.
