A zero-day vulnerability is a security flaw that is unknown to the vendor or software developer. Because no one is yet aware of the issue, there are no fixes or patches available, giving attackers a unique opportunity to strike. The term “zero-day” refers to the fact that developers have had zero days to resolve the problem.
Once discovered by attackers, a vulnerability can be turned into a zero-day exploit. If this exploit is used in a cyberattack, it becomes a zero-day attack, often with significant consequences for the affected organisation.
How Are Zero-Day Vulnerabilities Discovered?
Zero-day vulnerabilities may be uncovered by:
- Ethical hackers and researchers, often through bug bounty programmes or penetration testing
- Cybercriminals, who may use them for data theft, ransomware, or financial gain
- Nation-state actors, using them as tools for surveillance or cyber warfare
While responsible researchers disclose vulnerabilities to vendors, others may choose to sell them on underground markets, often found on the dark web. Prices for high value zero-days can reach hundreds of thousands, sometimes millions.
How Are Zero-Days Used by Attackers?
Because zero-days bypass traditional security defences and are difficult to detect, they are commonly used in targeted cyberattacks. Common outcomes include:
- Gaining unauthorised access to corporate systems
- Stealing confidential data, such as credentials or financial records
- Installing malware or spyware
- Taking control of systems for further lateral movement
Though often associated with state-sponsored attacks, zero-days are also used against private businesses, especially those with valuable customer data or intellectual property.
Real-World Examples of Zero-Day Exploits
Several high-profile breaches have highlighted the scale and impact of zero-day attacks:
Windows WebDav (2025)
The Stealth Falcon APT group exploited a Windows zero-day vulnerability that abused the WebDAV protocol to execute malware remotely. By tricking Windows into running executables from a malicious WebDAV path via crafted `.url` files, attackers were able to bypass security controls and deploy payloads without user suspicion. Microsoft patched the flaw in June 2025.
ConnectWise ScreenConnect (2024)
Attackers exploited critical vulnerabilities in ConnectWise's ScreenConnect software, which allowed unauthorised access to sensitive systems. The exploitation posed significant risks, potentially enabling attackers to deploy ransomware and access confidential information.
MOVEit (2024)
A zero-day vulnerability in the MOVEit Transfer software was exploited by ransomware actors, leading to one of the most extensive data breaches in 2024. The Asia-Pacific region was significantly affected, with numerous organisations experiencing data theft and operational disruptions.
Barracuda Email Security Gateway (2023)
A critical zero-day vulnerability in Barracuda's Email Security Gateway was exploited as early as October 2022 and publicly disclosed in May 2023. The threat actor, with suspected ties to China, targeted organisations globally to conduct espionage activities.
Microsoft Exchange Server (2021)
A group known as HAFNIUM, believed to be state-sponsored, exploited four zero-days to access email accounts, steal credentials, and move laterally across corporate networks impacting businesses around the world, including in Australia.
Why Are Zero-Days So Hard to Detect?
Unlike known threats, zero-days do not appear in virus definitions or known exploit databases. They often bypass firewalls, antivirus software, and intrusion detection systems. Detection usually relies on:
- Behavioural analysis to flag unusual activity
- Heuristic-based scanning
- Threat intelligence feeds and proactive monitoring
Even with these tools, identifying a zero-day in real time is difficult and often only happens after damage has been done.
Steps Australian Businesses Can Take
While zero-days can’t always be prevented, businesses can reduce their exposure and respond more effectively by:
- Keeping systems and applications updated as soon as patches are released
- Segmenting networks to restrict movement if an endpoint is compromised
- Investing in threat intelligence to stay aware of emerging risks
- Monitoring the dark web for signs of leaked credentials, sensitive data, or zero-day chatter
Proactive Dark Web Monitoring
When zero-day attacks lead to data being stolen or leaked, the dark web is often where the evidence first appears. This is where Rivanorth Oko, AI-powered dark web monitoring platform comes in.
Designed specifically for Australian businesses, Oko scans deep and dark web sources, closed forums, and illicit marketplaces for signs of:
- Leaked credentials or emails
- Sensitive documents or corporate data
- Discussions of exploits or attack tools targeting your sector and even your company
By identifying threats early, Oko allows your team to act before stolen data spreads further.
Stay Ahead of Zero-Day Threats
Zero-day vulnerabilities will continue to challenge even the most secure environments. But with the right combination of tools, awareness, and proactive monitoring including dark web protection your business can detect threats earlier and respond faster.
In a climate of increasing cyber risk, early visibility is everything. Don’t wait until the breach hits the headlines.
Join Our Newsletter