Zero-Day

A software vulnerability that is unknown to the vendor and has no available patch, giving defenders zero days to prepare before it can be exploited.

A zero-day (also written 0-day) is a software vulnerability that the vendor doesn’t know about yet. Because there is no patch available, attackers who discover it can exploit it with no defense in place. The name refers to the fact that developers have had “zero days” to fix it.

Why Zero-Days Matter

The number of disclosed vulnerabilities (CVEs) is accelerating rapidly: over 48,000 in 2025, and 2026 is on pace to exceed that. While not all of these are zero-days, the overall volume means that the window between discovery and exploitation is shrinking. Attackers increasingly use automation and AI to find and exploit vulnerabilities faster than organizations can patch them.

How Zero-Days Are Exploited

1. An attacker discovers a vulnerability in widely-used software
2. They develop an exploit (often packaged as malware or ransomware)
3. The exploit is deployed against targets before the vendor issues a patch
4. Once discovered, the vendor releases an emergency patch, but many organizations are slow to apply it

How to Reduce Zero-Day Risk

You cannot prevent zero-days from existing, but you can limit their impact:

• Endpoint protection: Modern antivirus tools use behavioral detection (not just signatures) to identify suspicious activity, even from unknown exploits.
• Network segmentation: A properly configured firewall limits lateral movement if one system is compromised.
• Patch management: While you can’t patch a zero-day before it’s known, applying patches quickly after disclosure prevents exploitation of the thousands of known vulnerabilities.
• Encryption: Encrypted data at rest is less valuable to attackers who exploit a zero-day to gain access.
• Least privilege: Limit what each user and application can access, reducing the blast radius of any single exploit.

Zero-Days and Swiss Reporting Requirements

Since April 2025, critical infrastructure operators in Switzerland must report cyberattacks (including zero-day exploitation) to the BACS within 24 hours. Even for non-critical businesses, the nDSG requires breach notification if personal data is affected.