See DNSFilter in action

Watch a demo now
    free trial
    Book a Demo
    Glossary > Zero-Day
    Table of Contents

      Zero-Day

      What is a Zero-Day Attack?

      A zero-day attack targets a software vulnerability that is unknown to the vendor, the security community, or users at the time it is exploited. The term “zero-day” refers to the lack of warning—developers have had zero days to fix the flaw before it is weaponized. These attacks often strike before there is public awareness or any available defense.

      Unlike known vulnerabilities, which can be mitigated with patches or configuration changes, zero-day flaws are exploited in secret. Once attackers discover one, a race begins: they move to cause maximum damage before defenders detect the threat and issue a fix.

      Zero-Day Attack Overview

      Zero-day attacks are especially dangerous because they exploit flaws that lack existing signatures, patches, or detection methods. This gives attackers a critical window to infiltrate systems, steal data, or deploy malware—often without raising alarms.

      Threat actors who use zero-day exploits range from cybercriminal groups conducting ransomware campaigns to state-sponsored adversaries seeking sensitive information or infrastructure sabotage. Once inside a network, attackers can escalate privileges, exfiltrate data, and maintain a foothold for future access.

      DNS-layer defenses can reduce exposure by blocking communication with attacker infrastructure—such as malicious domains used in command-and-control (C2) channels or distributed via domain generation algorithms (DGAs)—even before the underlying exploit is known.

      Types of Zero-Day Exploits

      Exploits are typically developed before any public patch exists, allowing attackers to maximize stealth and impact. They often fall into these categories, though exploitation types are nearly limitless:

      • Remote Code Execution (RCE) – Enables attackers to run arbitrary code on target systems remotely.

      • Privilege Escalation – Exploits flaws that allow unauthorized access to higher system privileges.

      • Memory Corruption – Includes buffer overflows and use-after-free errors that allow manipulation of system memory.

      • Web Application Vulnerabilities – Targets flaws like cross-site scripting (XSS) or injection bugs in public-facing applications.

      Causes of Zero-Day Attacks

      Even well-developed software can contain hidden flaws.

      Zero-day vulnerabilities arise due to:

      • Undiscovered coding errors in software, libraries, or operating systems

      • Outdated or unpatched third-party components bundled in applications

      • Inadequate secure development lifecycle (SDL) practices

      • Independent discovery by attackers before researchers or vendors become aware

      Some attackers actively seek out zero-day flaws to exploit or sell—especially in campaigns involving espionage, financial theft, or disruption.

      Effects of Zero-Day Attacks

      When successful, zero-day attacks can have significant consequences:

      • Unauthorized access to systems or critical infrastructure

      • Deployment of malware or ransomware

      • Theft of intellectual property or sensitive data

      • Regulatory penalties and compliance risk due to undetected breaches

      • Brand and reputational damage

      • Financial loss due to cost of system recovery or wire fraud

      Because these threats emerge without warning, organizations must rely on proactive, adaptive defenses.

      DNSFilter helps reduce the blast radius of zero-day attacks by blocking access to malicious infrastructure before connections are made. Its machine learning models inspect DNS traffic in real time, identifying suspicious domains—even those never seen before. By disrupting C2 communications or preventing payload delivery, DNS filtering plays a key role in stopping zero-day campaigns before they escalate.

      Learn how DNSFilter stops zero-day attacks -->

      What’s the Difference Between Zero-Day and Other Vulnerabilities?

      Vulnerability Type

      Description

      Zero-Day

      Unknown to the vendor; no patch exists; actively exploited.

      Day-One

      A known vulnerability for which a patch or fix exists, but has not been applied yet.

      Known CVEs

      Stands for “Known Common Vulnerabilities and Exposures.” These are publicly documented vulnerabilities with available fixes.

      Misconfigurations

      Improper settings (e.g., open ports, weak permissions), which are often easier to detect and correct.

       

      Zero-day threats stand out because they combine stealth with urgency—forcing defenders to react in real time to a threat they may not yet fully understand.

      Zero-Day Attack Statistics

      • 75 zero-day vulnerabilities were exploited in 2024, according to the Google Threat Intelligence team. This continues a gradual upward trend in exploitation observed since 2020. (Source: Mandiant, via Google Cloud Blog)

      • 44% of zero-days exploited in 2024 targeted enterprise-specific technologies, up from 37% in 2023. Many of these focused on security and networking products—reflecting attackers' growing interest in compromising foundational infrastructure. (Source: Mandiant, via Google Cloud Blog)

      • 56% of zero-day vulnerabilities in 2024 targeted end-user platforms, including browsers, mobile devices, and desktop operating systems. DNS-layer security can help stop these attacks by blocking new and malicious domains that exploit delivery infrastructure or command-and-control channels before damage occurs. (Source: Mandiant, via Google Cloud Blog)

      Examples of Zero-Day Attacks in Action

      Zero-day attacks don’t follow a single pattern—but they often unfold with speed, stealth, and precision. After discovering a vulnerability, attackers craft tools or malware to exploit it before a patch exists. They may scan the internet for targets, deploy phishing campaigns, or bypass traditional defenses without triggering alerts.

      Real-World Examples

      • Log4Shell (2021) – A critical remote code execution flaw in Apache Log4j exploited before disclosure, affecting enterprise systems worldwide.

      • Stuxnet – A computer worm that used zero-day vulnerabilities to infiltrate and sabotage Iranian nuclear facilities.

      • CVE-2021-40444 – A Microsoft Office exploit delivered via malicious documents, allowing remote code execution without user macros.

      Who Might Need Protection from Zero-Day Attacks?

      • Remote and Hybrid Workforces – Employees working outside the corporate perimeter are often more exposed to phishing and browser-based exploits.

      • SaaS and Cloud Providers – Often run complex stacks with multiple dependencies, including third-party components vulnerable to zero-day flaws. DNS-level control helps limit damage by blocking malicious callbacks or domain-based payloads.

      • Regulated Industries (e.g., healthcare, finance) – High-value targets for ransomware and espionage. Zero-day attacks can introduce compliance risks; DNS-layer defenses reduce the attack surface and strengthen audit readiness.

      Stop Zero-Day Threats Before They Strike

      You can’t always patch what you can’t see—but you can block the infrastructure attackers rely on. DNSFilter detects and stops zero-day threats by analyzing traffic at the DNS layer, using AI to flag suspicious queries long before they’re identified by signature-based tools.

      See how DNSFilter uses machine learning to give you an edge against the invisible threat.
       Explore Threat Defense Protection →

      Other Glossary Entries