Zero-Day Vulnerabilities
Previously unknown vulnerabilities with no available patches. Zero-days are the most dangerous vulnerabilities because defenders have "zero days" to prepare—the vulnerability is being exploited before a fix exists.
Understanding Zero-Day Vulnerabilities
A zero-day vulnerability is a security flaw unknown to the vendor and for which no patch exists. The name comes from the fact that defenders have "zero days" between learning about the vulnerability and attacks using it—because attackers found it first.
Zero-day terminology: • Zero-day vulnerability — The flaw itself (unknown, unpatched) • Zero-day exploit — Code that takes advantage of the flaw • Zero-day attack — Attack using the exploit against targets
Zero-days are among the most valuable and dangerous security issues. They're used by nation-states, sold on black markets, and feared by defenders.
Why This Matters for the Exam
Zero-day vulnerabilities are tested on SY0-701 as they represent the most challenging security scenario—protecting against unknown threats. Questions cover the zero-day lifecycle and defense strategies.
Understanding zero-days helps with defense planning. Since you can't patch what doesn't have a patch, defense-in-depth, behavioral detection, and rapid response become critical.
The exam also tests disclosure concepts—responsible disclosure, CVE process, and the window between discovery and patch.
Deep Dive
Zero-Day Lifecycle
1. Vulnerability Introduced
- •Code written with flaw
- •Configuration creates weakness
- •Design has security gap
2. Vulnerability Discovered
- •By security researcher (ethical)
- •By attacker (malicious)
- •May remain undiscovered for years
3. Exploitation Begins (if malicious)
- •Attacker develops exploit
- •Used against targets
- •Vendor unaware = no defense
4. Discovery by Defenders
- •Attack detected
- •Vulnerability identified
- •Vendor notified
5. Patch Developed
- •Vendor creates fix
- •Testing performed
- •Patch released
6. Patch Deployed
- •Organizations apply update
- •Vulnerability addressed
- •No longer "zero-day"
Zero-Day vs. N-Day:
| Term | Description |
|---|---|
| Zero-day | No patch exists (vendor unaware or hasn't fixed) |
| N-day | Patch exists but not yet applied |
Both are dangerous:
- •Zero-day: Can't patch what doesn't exist
- •N-day: Patch exists but attackers exploit before deployment
Who Uses Zero-Days?
| Actor | Purpose | Notes |
|---|---|---|
| Nation-states | Espionage, warfare | Stockpile for strategic use |
| Advanced criminals | High-value targets | Purchase from researchers/markets |
| Security researchers | Discovery, disclosure | Ethical discovery and reporting |
| Vulnerability brokers | Buying/selling | Market for zero-days |
Zero-Day Markets:
- •Black market: Sold to criminals
- •Gray market: Sold to governments
- •White market: Bug bounties, vendor programs
Vulnerability Disclosure
How vulnerabilities move from discovery to patch.
Disclosure Types:
Responsible/Coordinated Disclosure:
- •Researcher notifies vendor privately
- •Vendor given time to develop patch
- •Public disclosure after fix available
- •Industry standard approach
Full Disclosure:
- •Immediate public release
- •Forces vendor to act quickly
- •Controversial—exposes users to risk
No Disclosure:
- •Vulnerability kept secret
- •Used for attacks (if malicious)
- •Stockpiled (if government)
Disclosure Timeline:
- •Standard: 90 days for vendor response
- •Google Project Zero: Strict 90-day policy
- •May vary by severity and vendor cooperation
CVE (Common Vulnerabilities and Exposures):
- •Standard identifier for vulnerabilities
- •Format: CVE-YEAR-NUMBER (e.g., CVE-2023-12345)
- •Enables consistent tracking and communication
Defending Against Zero-Days
Without patches, other defenses become critical.
Defense-in-Depth Layers:
| Layer | Defense |
|---|---|
| Network | Segmentation, monitoring, IDS/IPS |
| Endpoint | EDR, application whitelisting, HIPS |
| Application | WAF, input validation, sandboxing |
| Data | Encryption, DLP, access controls |
Behavioral Detection:
- •Detect anomalous behavior vs. known signatures
- •Identify exploitation patterns
- •Machine learning analysis
- •Heuristic detection
Threat Intelligence:
- •Subscribe to threat feeds
- •Monitor for emerging threats
- •Industry sharing (ISACs)
- •Vendor security bulletins
Rapid Response:
- •Incident response capability
- •Virtual patching (WAF/IPS rules)
- •Network isolation
- •Emergency change procedures
Zero-Trust Architecture:
- •Assume breach
- •Verify everything
- •Limit blast radius
- •Microsegmentation
How CompTIA Tests This
Example Analysis
Scenario: A security team detects unusual traffic patterns from several workstations. Investigation reveals malware exploiting a vulnerability in commonly-used software. The vendor has no knowledge of this vulnerability and no patch exists. How should the team respond?
Analysis - Zero-Day Incident Response:
Immediate Actions:
1. Contain: • Isolate affected systems • Block malicious traffic/IPs • Prevent lateral movement • Preserve evidence
2. Assess: • Identify all affected systems • Determine data exposure • Understand attack mechanism • Document findings
3. Mitigate Without Patch: • Implement virtual patching (IPS/WAF rules) • Disable vulnerable feature if possible • Increase monitoring on vulnerable systems • Consider temporary service shutdown for critical systems
4. Communicate: • Notify vendor immediately • Engage threat intelligence sharing • Brief leadership on risk • Consider disclosure timing
5. Monitor: • Watch for additional exploitation • Track vendor progress on patch • Update defenses as intelligence develops
Long-Term: • Apply patch when available • Conduct post-incident review • Update detection capabilities • Review defense-in-depth effectiveness
Key insight: Without a patch, defense-in-depth and rapid response are the only options. Behavioral detection and network controls must compensate for the lack of a fix.
Key Terms to Know
Common Mistakes to Avoid
Exam Tips
Memory Trick
Zero-Day Timeline: "DEEP"
- •Discovery (flaw found)
- •Exploitation (attacks begin)
- •Exposure (defenders learn)
- •Patch (fix released)
- •Zero vs. N-day:
- •Zero days = Zero patches available
- •N-day = Patch exists, Not applied yet
- •Zero-Day Defense: "BIRD"
- •Behavioral detection (anomaly-based)
- •IDS/IPS and WAF (virtual patching)
- •Rapid response (incident capability)
- •Defense-in-depth (multiple layers)
- •Disclosure Types:
- •Responsible = Right way (private, then public after patch)
- •Full = Fast public release (controversial)
- •No disclosure = Nefarious use (attacks or stockpiling)
CVE Memory: Common Vulnerabilities and Exposures = Universal vulnerability ID CVE-YEAR-NUMBER (e.g., CVE-2023-12345)
Test Your Knowledge
Q1.A vulnerability is being actively exploited in the wild, but the software vendor has not yet released a patch. What type of vulnerability is this?
Q2.A security researcher discovers a critical vulnerability and privately notifies the vendor, giving them 90 days to release a patch before public disclosure. This practice is called:
Q3.Without an available patch, what is the MOST effective defense strategy against zero-day vulnerabilities?
Want more practice with instant AI feedback?
Practice with AIContinue Learning
Ready to test your knowledge?
Practice questions on zero-day vulnerabilities and other Objective 2.3 concepts.