A zero-day vulnerability is a security flaw that is unknown to the vendor or software developer. Because no one is yet aware of the issue, there are no fixes or patches available, giving attackers a unique opportunity to strike. The term “zero-day” refers to the fact that developers have had zero days to resolve the problem.
Once discovered by attackers, a vulnerability can be turned into a zero-day exploit. If this exploit is used in a cyberattack, it becomes a zero-day attack, often with significant consequences for the affected organisation.
Zero-day vulnerabilities may be uncovered by:
While responsible researchers disclose vulnerabilities to vendors, others may choose to sell them on underground markets, often found on the dark web. Prices for high value zero-days can reach hundreds of thousands, sometimes millions.
Because zero-days bypass traditional security defences and are difficult to detect, they are commonly used in targeted cyberattacks. Common outcomes include:
Though often associated with state-sponsored attacks, zero-days are also used against private businesses, especially those with valuable customer data or intellectual property.
Several high-profile breaches have highlighted the scale and impact of zero-day attacks:
The Stealth Falcon APT group exploited a Windows zero-day vulnerability that abused the WebDAV protocol to execute malware remotely. By tricking Windows into running executables from a malicious WebDAV path via crafted `.url` files, attackers were able to bypass security controls and deploy payloads without user suspicion. Microsoft patched the flaw in June 2025.
Attackers exploited critical vulnerabilities in ConnectWise's ScreenConnect software, which allowed unauthorised access to sensitive systems. The exploitation posed significant risks, potentially enabling attackers to deploy ransomware and access confidential information.
A zero-day vulnerability in the MOVEit Transfer software was exploited by ransomware actors, leading to one of the most extensive data breaches in 2024. The Asia-Pacific region was significantly affected, with numerous organisations experiencing data theft and operational disruptions.
A critical zero-day vulnerability in Barracuda's Email Security Gateway was exploited as early as October 2022 and publicly disclosed in May 2023. The threat actor, with suspected ties to China, targeted organisations globally to conduct espionage activities.
A group known as HAFNIUM, believed to be state-sponsored, exploited four zero-days to access email accounts, steal credentials, and move laterally across corporate networks impacting businesses around the world, including in Australia.
Unlike known threats, zero-days do not appear in virus definitions or known exploit databases. They often bypass firewalls, antivirus software, and intrusion detection systems. Detection usually relies on:
Even with these tools, identifying a zero-day in real time is difficult and often only happens after damage has been done.
While zero-days can’t always be prevented, businesses can reduce their exposure and respond more effectively by:
When zero-day attacks lead to data being stolen or leaked, the dark web is often where the evidence first appears. This is where Rivanorth Oko, AI-powered dark web monitoring platform comes in.
Designed specifically for Australian businesses, Oko scans deep and dark web sources, closed forums, and illicit marketplaces for signs of:
By identifying threats early, Oko allows your team to act before stolen data spreads further.
Zero-day vulnerabilities will continue to challenge even the most secure environments. But with the right combination of tools, awareness, and proactive monitoring including dark web protection your business can detect threats earlier and respond faster.
In a climate of increasing cyber risk, early visibility is everything. Don’t wait until the breach hits the headlines.