What Is a Zero-Day? And Why Should Your Business Care?
You've seen the term in headlines. Log4Shell. MOVEit. Exchange. Here's what a zero-day actually is, why it matters even if you're not a tech company, and what you can do about a threat you can't see coming.
#You've seen the headlines. Now let's understand them.
Every few weeks, another headline rolls through: "Critical zero-day exploited in the wild." "Nation-state actors leveraging zero-day vulnerabilities." "Thousands of organizations breached through zero-day attack."
If you're running a business and those words don't mean anything concrete to you, that's a problem. Not because you need to become a security researcher. But because zero-days are the reason your patching schedule, your firewall, and your antivirus can all be doing their jobs perfectly and you can still get breached.
Let me break it down.
#What "zero-day" actually means.
A zero-day is a software flaw that nobody knows about -- or at least, nobody who can fix it. The vendor hasn't released a patch. Your IT provider hasn't heard of it. Your antivirus doesn't have a signature for it. The "zero" refers to the number of days defenders have had to respond: zero.
The term actually covers three related things:
The vulnerability. A bug in the software. A door that shouldn't be there.
The exploit. Code that opens that door. Weaponized and ready to use.
The attack. Someone walking through the door and taking what they want.
When all three exist at the same time and the vendor hasn't released a fix, you're in the zero-day window. And during that window, traditional patch-based defenses are useless. You can't patch what doesn't have a patch.
#The lifecycle of a zero-day.
Here's how it plays out:
1. Discovery. Someone finds the flaw. Could be a security researcher who reports it responsibly. Could be a nation-state intelligence unit that's been looking for it for months. Could be a criminal group that bought it from an exploit broker. A single high-severity browser or OS exploit can sell for millions on gray markets.
2. The zero-day window. The flaw is being exploited in the wild and there is no fix. Defenders are blind. Your security tools don't know to look for it. This phase can last days, weeks, or months.
3. Public disclosure. The flaw becomes known. A CVE gets assigned. The vendor starts working on a patch. But here's the part that surprises people: exploitation often accelerates at this point. Once the details are public, every attacker on the planet can weaponize them. The flaw is now an "n-day" -- known but unpatched -- and the race begins.
4. Patch and deploy. The vendor releases a fix. Now you're in a foot race to apply it before attackers get to you. If you've read our coverage of CVE-2026-0300 hitting Palo Alto firewalls or CVE-2026-34908 exposing 100,000 UniFi devices, you know how fast that race moves. Hours, not weeks.
#This isn't theoretical. Look at the track record.
Log4Shell (December 2021). A remote code execution vulnerability in Log4j, a logging library used in hundreds of thousands of applications. Mass exploitation began within hours of disclosure. Hours. If your business ran any Java-based application -- and many did without knowing it -- you were exposed. The library was so deeply embedded in software supply chains that many organizations didn't even realize they were running it.
MOVEit Transfer (May 2023). A SQL injection zero-day in a managed file-transfer tool. A ransomware group exploited it to steal data from thousands of organizations before anyone had a chance to patch. Law firms, healthcare systems, government agencies, financial institutions. One vulnerability. Thousands of victims. If you used MOVEit or your vendors did, your data was at risk.
Microsoft Exchange (2026). We covered CVE-2026-42897 -- a zero-day where opening a crafted email in Outlook Web Access was enough for an attacker to run code in your browser. No patch at the time of disclosure. If you run Exchange on-prem, that was your problem.
Ivanti EPMM. Four governments breached through zero-days in a mobile device management product. The Dutch data authority. The European Commission. Finland. All hit before patches existed. CVSS 9.8.
Industry trackers recorded roughly 75 zero-days exploited in the wild in 2024 and about 90 in 2025. That's not a spike. That's the baseline. This is the normal volume of threats that bypass traditional defenses.
#"We're not a tech company. Why does this affect us?"
Because you run software. That's it. That's the whole reason.
You run a firewall. You run email. You run a web browser. You run an operating system. You run cloud applications. You probably run a dozen SaaS tools your team signed up for. Every single one of those is built on software, and any one of them can have a zero-day.
MOVEit wasn't a "tech company" product. It was a file transfer tool used by HR departments, accounting firms, and healthcare providers. Log4j wasn't something people chose to install. It was buried inside other software they were already running. The Gogs zero-day hit self-hosted code repositories -- the kind a small dev shop might spin up on a Friday afternoon.
Internet-facing systems are the highest-value targets: VPNs, firewalls, remote access tools, and managed file-transfer products. If you have anything exposed to the internet (and you do), you're in scope.
#What to do about a threat you can't see coming.
You can't patch a zero-day. By definition, the patch doesn't exist yet. So the question isn't "how do I prevent zero-days?" It's "how do I survive one?"
1. Patch everything else immediately. The majority of breaches don't use zero-days. They use known vulnerabilities that you haven't patched yet. 87% of breaches involve stolen credentials, not exotic exploits. Close the doors you know about, so when a zero-day opens a new one, it's the only problem you're dealing with. Subscribe to CISA's Known Exploited Vulnerabilities Catalog and treat every entry as a P1.
2. Reduce your attack surface. Every internet-facing service is a potential target. Disable what you don't need. Restrict access to admin panels. Put management interfaces behind a VPN. The 600 firewalls compromised in one wave weren't hit with a zero-day -- their admin panels were just sitting on the open internet. Don't give attackers a target they don't need to have.
3. Run endpoint detection and response (EDR), not antivirus. Antivirus looks for known threats. EDR watches for suspicious behavior: mass file encryption, unusual privilege escalation, lateral movement across your network. When a zero-day exploit runs on a system, it still has to do something once it's in. EDR catches the behavior even when it can't identify the exploit.
4. Segment your network. If an attacker compromises one system through a zero-day, segmentation determines whether they get that one system or your entire network. Separate your guest Wi-Fi from your business network. Isolate IoT devices. Keep backups on a network segment that production systems can't reach.
5. Enforce least privilege and MFA everywhere. Zero-day exploits often need to escalate privileges to do real damage. If your accounts only have the access they actually need, and every one of them requires phishing-resistant MFA, the blast radius of any single compromise shrinks dramatically.
6. Monitor and log everything. You can't prevent a zero-day, but you can detect the aftermath. Unusual login patterns, unexpected network connections, new admin accounts, mass data access -- these are the signals. If nobody's watching, the attacker completes their mission before you know they're there. Dwell time is down to 5 days. That's your window to catch them.
7. Have an incident response plan. When a zero-day hits your industry, you need to know what to do before the panic sets in. Who isolates systems. Who contacts vendors. Who communicates with clients. If you don't have that plan, a zero-day disclosure becomes chaos instead of a controlled response.
#The bottom line.
Zero-days aren't going away. The volume is steady at 60-100 per year, and it's not decreasing. You will use software that has a zero-day vulnerability at some point. The question is whether your business is built to survive it.
You don't need a SOC with 50 analysts. You need the fundamentals done right: patching, segmentation, detection, least privilege, MFA, backups, and a plan. These are the same things that protect you from every other kind of attack. A zero-day just tests whether you actually did them.
If you're not sure where you stand, start with a security assessment. We'll tell you what's exposed, what's urgent, and what to do first. No pitch, no pressure. Just the truth about your security posture.
#Further reading
- CISA Known Exploited Vulnerabilities Catalog - the authoritative list of what's being actively exploited right now
- CISA: CL0P Exploitation of MOVEit CVE-2023-34362 - case study of a zero-day campaign at scale
- CIS Controls v8 - prioritized security actions; Implementation Group 1 is your starting point
- NIST Cybersecurity Framework - the gold standard framework for building resilient security programs