What is a zero-day exploit, and why should you care?

A photograph of someone looking at their phone while sitting at their desk with a laptop.

Cybercrime is not limited to a single vulnerability or attack. As technology grows, so does the range of attacks performed by cybercriminals or "bad actors." Cyberattacks can range from stealing valuable data to shutting down entire systems.

These attacks can halt productivity, break client trust, damage reputations, and cause financial damage.

A zero-day exploit occurs when bad actors discover a security vulnerability and use it to attack users. In a zero-day exploit, no security patch exists to correct the vulnerability.

WEBIT Services has helped hundreds of clients create IT strategies and prepare against IT interruptions for over 25 years.

By reading this article, you will learn more about zero-day exploits and how to address them.

Why is it called "zero-day"?

The phrase "zero-day" essentially means there is no current fix for the vulnerability. The developer has had zero days to address the issue, as it was only just discovered.

Sometimes vulnerabilities exist within programming code or a newly released update.

When this vulnerability is discovered, it's called a "zero-day vulnerability." If that vulnerability is utilized to attack users, it's called a "zero-day exploit."

How are zero-day vulnerabilities discovered?

Zero-day vulnerabilities are discovered through one of three parties:

  • Developers and researchers employed by the software company
  • "Good guy" hackers, also known as "white hats"
  • Cybercriminals

Developers and researchers

Developers and researchers test the software coding to locate possible errors or vulnerabilities.

If a vulnerability is found, the developer will work on a security update to address the vulnerability. The goal is to find and address any vulnerabilities before cybercriminals can.

White hats

White hats are private citizens who "poke" at technologies in hopes of finding vulnerabilities. Once they do, they report it to the developer.

The developers often reward the white hat with a "bug bounty." White hats are compensated for finding and reporting the vulnerability without exploiting it.


Cybercriminals, also known as "bad actors" and "black hats," search for vulnerabilities to launch attacks on users. Then, they will use the vulnerability to break into the users' systems, stealing data or installing malware.

When cybercriminals use a zero-day vulnerability for an attack, it becomes an active zero-day exploit.

What software is at risk?

Cybercriminals will attack any user or vulnerability they find.

However, major operating systems and popular applications are frequently targeted. The more popular the software is, the more systems can be breached.

Zero-day exploits rarely occur within old, stable software. Instead, Zero-day vulnerabilities are more often found in new software updates. The more complicated the coding, the more complications, dependencies, and potential vulnerabilities exist.

Any software, operating system, application, or update may hold hidden vulnerabilities.

How are zero-day exploits addressed?

Zero-day vulnerabilities are addressed through new software security updates.

In a best-case scenario, a researcher or white hat alerts the developer of the vulnerability. In response, the developer works to correct the vulnerability through a security update.

Developing an update is not an easy or speedy task. Developers don't want a hasty update to create more problems or create additional risks.

If the vulnerability only exists in a recent update, the developer may advise that users revert to a previous software version.

For example, suppose a developer just released update 12 for their application, and a zero-day exploit occurs. In that case, they may advise users to revert to version 11 of the application or not to update to version 12 until a viable security patch is released.

However, the vulnerability may exist in all versions of the software. If so, the developer may advise users to remove the software or application from their system until a new security patch is released.

How can my IT provider help with zero-day exploits?

Quality IT providers or internal IT teams receive reports from reputable channels (i.e., research presented by developers or security experts) warning them of newly discovered zero-day exploits.

These reports also include a recommended course of action to prevent security breaches and attacks through zero-day vulnerabilities.

Unfortunately, IT providers do not own the source code or software that may have a zero-day exploit. As a result, they cannot create security patches or edit the software code independently. Instead, they are reliant on the original developer.

For example, your IT provider can't fix the zero-day vulnerability in a Microsoft Office update. This is because they don't have the authority to access the patented software source code. Instead, IT providers must wait for Microsoft to develop and release a new update.

Once a viable update is released, your IT provider or team will apply it to resolve the vulnerability.

Communicating risk and response regarding zero-day exploits

Your IT provider should alert you of the vulnerability and how they plan to address it. Typically, response plans follow instructions from the developer.

For example, you may receive a message, "We are aware of a zero-day exploit occurring within application X. Based on the developer's advice, we have removed the application from your system until a security patch is released."

In addition, if your system does not have the attacked application, your IT provider should let you know to put your mind at ease.

If that's the case, you may receive a message like, "We are aware of the zero-day exploit attack through application X. This application is not installed on your system. Therefore, at this time, this particular zero-day exploit does not pose a risk to us."

Some zero-day exploit attacks are significant enough to garner media attention. In those instances, having your IT provider communicate awareness and an action plan is assuring.

Next steps for addressing zero-day exploits

Zero-day exploits occur when a cybercriminal discovers and abuses a zero-day vulnerability.

Unfortunately, these vulnerabilities are not known by the software developer, and therefore, no solution has yet been created. Once a zero-day exploit occurs, the developer must quickly create a new security patch to seal the vulnerability.

Otherwise, zero-day vulnerabilities are found by software researchers or white hats and addressed through security updates before criminals take advantage of them.

IT providers or internal IT teams should openly communicate when a relevant zero-risk exploit occurs and the developer's recommendations to address the issue. This may include removing an application or reverting to a previous software version until a security update is released.

It is a red flag if your IT provider is unaware of or communicating relevant zero-day exploits to their clients. These exploits can cause significant risk and damage and should be discussed.

WEBIT Services has helped hundreds of clients in the greater Chicago area over the last 25 years.

If you are looking for a new IT provider, schedule a free 30-minute consultation to see if WEBIT can help.

If you're not ready to make a commitment but would like to learn more about IT risk and IT partnerships, we recommend the following articles: