A zero-day is a vulnerability that's being exploited before the vendor knows it exists, or before a patch is available. The "zero" is the number of days defenders have had to react.
The three states
The phrase gets used loosely. To be precise:
- Zero-day vulnerability — a flaw the vendor doesn't know about.
- Zero-day exploit — working code that exploits the above.
- Zero-day attack — that exploit being used against real targets in the wild.
A vulnerability stops being a zero-day the moment the vendor knows about it. From the patch's release to it being applied across the estate, the same flaw becomes an n-day — still exploitable on unpatched systems, but defenders now have something to deploy.
Who finds them
- Researchers who disclose responsibly — private notification to the vendor, coordinated disclosure once the patch ships.
- Bug bounty programs — paid disclosure through HackerOne, Bugcrowd, or vendor-run programs.
- Government and intelligence services — finding and sometimes stockpiling for offensive use. The NSA's EternalBlue is the canonical cautionary tale.
- Criminal groups and brokers — companies like Zerodium pay seven figures for working exploits.
- Attackers themselves — APTs sometimes develop their own.
How to know it's being exploited
The signal usually shows up in one of three places:
- A vendor advisory marking the CVE as "exploited in the wild".
- CISA adding the CVE to the KEV catalog.
- CTI reporting from incident-response firms describing observed exploitation against named victims.
The window between disclosure and mass exploitation has shrunk dramatically. For some classes of bug (web-app, network-edge appliances), automated scanning starts within hours of a patch dropping. For others (memory-corruption in less-juicy targets), it can take weeks.
Why the "exploited in the wild" badge matters. Most CVEs are never exploited. CVSS gives a vulnerability its theoretical severity. Exploitation status tells you whether that theory has met reality yet. A CVSS 9.8 that nobody's exploiting is a lower priority than a CVSS 7.2 that's in the KEV catalog.
What to do when one drops
- Confirm whether the affected product is in your environment, and at what versions.
- Check exposure — is it internet-facing or behind segmentation?
- Apply the vendor mitigation immediately, even if the patch isn't ready yet. Most vendor advisories ship workarounds.
- Hunt for indicators of past exploitation. If you're affected and exposed, assume you were probed.
- Watch your CTI feed for IOCs as they come out, and plug them into the SIEM.
ThreatCluster surfaces actively-exploited CVEs on the exploits hub with KEV, EPSS, public PoC availability, and related actor activity all in one view per CVE.