Zero-Day Vulnerability
A software flaw unknown to the vendor — and therefore unpatched — that attackers can exploit before any fix is available.
Also known as: 0-day, zero-day exploit, unpatched vulnerability
Last reviewed: 1 June 2026
A zero-day vulnerability (often shortened to '0-day') is a security flaw that the software vendor, operating system developer, or affected organisation has had 'zero days' to address because it is either unknown to them or has only just been discovered. Until a patch is released and deployed, all users running the vulnerable software are exposed.
Zero-days are highly valued in both criminal and nation-state hacking communities. They are traded on underground markets, used in targeted attacks against governments and corporations, and deployed in sophisticated espionage campaigns. Well-funded threat actors — including state-sponsored groups — may sit on zero-days for extended periods, using them only against high-value targets to avoid triggering detection and patching.
For everyday users, zero-day risk is best mitigated by enabling automatic updates (so patches deploy as soon as they become available), using reputable security software with behavioural detection that can catch novel exploits, and reducing attack surface by uninstalling unused software and browser plugins.
Examples
- Attackers exploit an undisclosed flaw in a widely used VPN product to gain access to corporate networks before a patch is issued.
- A previously unknown browser vulnerability is used in a drive-by download campaign targeting journalists.