What is a zero-day exploit?

A zero-day exploit is an attack that takes advantage of a mostly unknown security vulnerability.

Learning Objectives

After reading this article you will be able to:

  • Define 'vulnerability' and describe zero-day vulnerabilities
  • Explain what a zero-day exploit is
  • Describe the main ways to prevent zero-day attacks

Copy article link

What is a zero-day exploit?

A zero-day exploit (also called a zero-day threat) is an attack that takes advantage of a security vulnerability that does not have a fix in place. It is referred to as a "zero-day" threat because once the flaw is eventually discovered, the developer or organization has "zero days" to then come up with a solution.

What is a vulnerability?

A vulnerability is an unintended software or hardware flaw stemming from a programming error or an improper configuration. Because vulnerabilities are unintentional, they are hard to detect, and can go unnoticed for days, months, or sometimes even years.

How do zero-day exploits work?

When attackers identify a previously unknown vulnerability, they write code to target that specific vulnerability and package it into malware. The code, when executed, can compromise a system.

There are various ways for an attacker to exploit zero-day vulnerabilities. One common tactic is to distribute malware through phishing emails that contain attachments or links that have the exploits embedded into them. These malicious payloads are executed when a user interacts with the attachment or link.

A famous zero-day attack involved Sony Pictures Entertainment in 2014, when sensitive information such as copies of unreleased movies, email communications between top employees, and business plans were released to the public. The attackers used a zero-day exploit to obtain this information.

Zero-day exploits can adversely affect a business in a number of ways. In addition to losing valuable or confidential data, customers might lose trust in the business, and the business might have to divert valuable engineering resources to patch the flaw.

How to detect zero-day threats

By definition, zero-day threats are difficult to detect. Several strategies have been developed to help make detection easier:

  • Statistics-based detection: Using machine learning, historical data is collected from previous exploits and a standard level for safe behavior is set to detect zero-day threats in real time. However, the approach does not adapt to changes in patterns, and new attack profiles need to be built out to account for changes.
  • Signature-based detection: This method has been used since the early days of security monitoring. Existing databases of malware signatures — unique values that indicate the presence of malicious code — are cross-referenced to local files and downloads when scanning for new potential threats. A drawback to this method is that signatures can only identify threats that are already known, so this method cannot detect most zero-day threats.
  • Behavior-based detection: User interactions with existing software are analyzed to see if they are the result of malicious activity. Behavior-based detection sets out to learn future behavior and attempts to block any behavior that is not expected. It relies on predicting the flow of network traffic.

How to prevent zero-day attacks

While no single approach can completely prevent vulnerabilities from appearing in code, several tactics and tools can minimize their risk. Two of the most important technologies for stopping vulnerability exploits are browser isolation and firewalls.

Browser isolation

Browsing activity such as opening an email attachment or filling out a form requires interaction with code from untrusted sources, allowing for attackers to exploit vulnerabilities. Browser isolation keeps browsing activity separate from end user devices and corporate networks, so that potentially malicious code does not run on the user's device. Browser isolation can be done in three ways:

  • Remote browser isolation: Webpages are loaded and code is executed on a cloud server, away from users' devices and organizations' internal networks.
  • On-premise browser isolation: This works similarly to remote browser isolation, but it takes place on an internally managed server.
  • Client-side browser isolation: Webpages are still loaded on a user's device but sandboxing, a security mechanism to keep programs running separately, ensures the content and code is separate from the rest of the device.


A firewall is a security system that monitors incoming and outgoing traffic based on preset security policies. Firewalls sit between trusted and untrusted networks (most often the Internet) to protect against threats, block malicious content from reaching a trusted network, and prevent sensitive information from leaving the network. They can be built into hardware, software, or a combination of both. By monitoring traffic, a firewall can block traffic that may target a security vulnerability, leading to a zero-day exploit.

How does Cloudflare protect against zero-day vulnerabilities?

Remote browser isolation: Cloudflare's remote browser isolation solution conducts a user's browsing activity on a supervised cloud environment via sandboxing. Since browsing activity is isolated from users' end devices, those devices are protected from vulnerabilities like zero-day threats.

Web application firewall (WAF): The Cloudflare WAF helps protect web applications against malicious HTTP traffic. Since zero-day threats are hard to detect and the security landscape is constantly changing, a Managed Ruleset helps protect against these vulnerabilities. Cloudflare regularly updates Managed Rulesets to provide ongoing protection.