The Microsoft Intelligence Center reported about three VMware zero-days. Broadcom tagged its customers as exploited, and the vulnerabilities were CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. It had impacted VMware ESX products, including Workstation, Telco Cloud Pattern, vSphere, VMware ESXi, Cloud Foundation, and Fusion. VCMI heap overflows, HGFS information disclosure flaws, and memory leakage from VMX processes had occurred.
Paragon Partition Manager’s BioNTdrv.sys driver recently also fell victim to ransomware zero-day attacks. It was vulnerable to arbitrary kernel memory mapping, write, and memory move, which paved the way for Bring Your Vulnerable Driver attacks on systems without device drivers. The Critical PostgreSQL bug was tied to a zero-day attack on the US Treasury.
Zero days are becoming a problem, causing devastating consequences beyond data breaches. This guide will explore zero day vulnerabilities. We will learn how to prevent zero-day attacks and mitigate them.
What are Zero-Day Attacks?
A zero-day attack is a vulnerability or flaw hackers find in an application’s code or any other opportunity they can exploit. Zero-day exploits make the most of unaddressed or unknown security flaws in computer hardware, software, and firmware. It’s a zero-day attack because the vendor has zero days to fix the security issue. Malicious actors can immediately exploit these vulnerabilities and access vulnerable systems.
Software developers must release patches for these vulnerabilities and update their programs. But the damage is already done by then, and it’s too late to prevent it. Zero-day attacks can plant malware, steal data, and even kill people. They can cause a lot of danger and wreak havoc among users, organizations, and systems. Zero-day attacks can be viruses, malware, ransom attacks, or undetectable threats evading traditional signature-based detection technologies.
Zero-day vulnerabilities can pose serious risks because of the staggering range of attack coverage. They can leave entire organizations and thousands of users open to cybercrimes until the vendor or community identifies and fixes the problem. Some zero-day vulnerabilities can remain undetected for days, months, or years, so developers don’t have enough time to react and resolve them when they become public knowledge.
Organizations are caught off guard when hackers exploit these flaws before vendors can patch them. It’s a race against time. And once hackers create workable zero-day exploits, they can launch larger-scale attacks.
Why Are Zero-Day Attacks So Dangerous?
Zero days are dangerous because you don’t know what you’re working with. The scope of damage is unknown, and there are many hidden dangers, such as financial losses, tarnishing your business’s reputation, and creating blind spots—additional blind spots that you can’t detect quickly or fix.
Think of it like this. Imagine you’re a novice in karate and you’re a white belt. You’ve been blindfolded and tasked to go up against a black belt. The worst part is you’re not even skilled in martial arts, so the chances of losing here are incredibly high. Your only way out is to escape the situation and plan counter-defenses so you don’t cross the black belt again.
Zero-day attacks can originate from flaws in coding and design practices as well. Traditional security vulnerabilities can be patched on time and secure applications, but zero-day vulnerabilities differ. There’s no time to create and work on patching systems. No fixes exist for these vulnerabilities. This means you will have to develop new patches and security solutions.
High-impact zero-day attacks can cause losses ranging from $500,000 to $2 million, depending on who the target and platform are.
How Zero-Day Attacks Work?
Here is how zero-day attacks work in a nutshell:
- A vulnerability appears in the software code, but the vendor and the public are unaware of it. A hacker eventually finds it through automated tools and testing.
- The adversary will then exploit this code and take advantage of its vulnerability. They will create a malicious variant and inject it into the web service or app, causing it to malfunction.
- It will allow them to gain unauthorized access. The damage starts there and slowly escalates.
- When the vendor discovers the issue, they will attempt a swift resolution. Users and organizations must patch the vulnerability to prevent further exploitation and stop the breach.
How to Detect Zero-Day Attacks?
Zero-day attacks benefit from security gaps in programs and apps. Attackers can find weaknesses in the source code and create malicious code to inject into databases.
Detecting zero-days is not straightforward; it can be challenging and complicated. To scope out vulnerabilities, you must set pre-defined correlation rules and analyze existing data in your infrastructure. Another way to detect these threats is to track insider movements.
Examine user activities using continuous threat detection, logging, and monitoring technologies. Your organization’s log activities can inform you about what is happening, and consolidated dashboards can also deliver strategic security insights.
Preventing and Mitigating Zero-Day Attacks
Deploying a reliable threat intelligence solution and SIEM is essential for collecting telemetry data and analyzing security events. These solutions should be able to identify multiple data types coming from diverse sources and generate real-time alerts whenever deviations are detected. You can promptly investigate these outliers with your security staff and reduce unauthorized access. Supplement these measures with proactive threat-hunting activities. Use advanced analytics to search for potential Indicators of Compromise (IoCs) and conduct detailed investigations.
All these tactics will also help you streamline incident response workflows and select the right tools for the job. SentinelOne can assist you with automating response actions, customize policies, trigger alerts, and instantly quarantine or isolate compromised hosts or threats, when detected. It will also help you automatically block malicious IPs, backup data, and minimize the impact of future security events.
You can also prevent and mitigate zero-day attacks by taking these additional steps:
- Patch your systems and update them rigorously. Do an audit of all your resources, assets, inventory, and users. Scan historical event data, look for patterns, and dive deep into past anomalies. They will give you clues about future events.
- Practice the principle of least privilege access. Build a zero-trust network security architecture and trust nobody. Always verify. It’s because the person you trust today may become the enemy of tomorrow by betraying your organization. Clean up onboarding and offboarding protocols and make them more stringent.
- Do not let employees transmit private data on public networks. Encourage a culture where they can report their findings anonymously and ensure complete transparency. Good communication is key to learning how to prevent zero-day attacks and provides continued protection.
Real-World Examples of Zero-Day Attacks
Here are some real examples of zero-day attacks that happened recently in 2025:
The Microsoft Zero-Day Cyber Attack
Microsoft didn’t expect a zero-day to target multiple vectors. Kevin Breen, senior director at Immersive, said: “We didn’t think it was possible. Zero-days usually target a single platform or an operating system environment.”
In February 2025, Microsoft released security updates for 67 vulnerabilities in its latest patch and rolled them out. However, four zero-days had already affected Windows NTLMv2 hash, Windows Ancillary Function Driver, Windows Storage, and Microsoft Surface devices. Remote code execution and privilege escalation were the leading security risks. Three new vulnerabilities impacted Hyper-V: CVE-2025-21335, CVE-2025-21333, and CVE-2025-21334.
JetBrains TeamCity Authentication Zero-Day Bypass
JetBrains learned about its CVE-2023-42793 vulnerability on September 20, 2023 and disclosed it. The authentication bypass vulnerability targeted their CI/CD server and on-premises instances. Attackers gained unauthorized access and launched remote code execution attacks. The critical authentication bypass flaw was discovered just days after exposure, leaving no time for immediate recovery.
MOVEit Transfer’s Zero-Day Threat
A Russian group probed SQL injection issues and found a zero-day vulnerability in MOVEit Transfer. The group then executed ransomware attacks on hundreds of organizations, including several universities, health networks, banks, and government agencies.
LEMURLOOT samples with the filenames human2.aspx and _human2.aspx were uploaded to many global public repos. The attack spread and even hit organizations in countries like Pakistan and Germany.
Mitigate Zero-Day Attacks with SentintelOne
SentinelOne uses advanced AI algorithms to scan resources and stop zero-day threats, even the unknowns. Its Endpoint Detection and Response (EDR) platform provides a deep look into network and user activity, making it easier to catch threats. SentinelOne can extend its endpoint protection with Singularity XDR.
Singularity™ Threat Intelligence with data lake and Purple AI can collect and correlate data from multiple sources. SentinelOne’s behavioral engine can detect and track malicious behaviors across enterprises. If anything suspicious occurs or deviations happen, it will instantly flag it for review and remediation. SentinelOne’s context-awareness in threat intelligence eliminates false-positives, reduces alert noise, and keeps organizations up-to-date with the most relevant notifications. SentinelOne can simulate zero-day attacks to scope for possibilities with its Offensive Security Engine™ and Verified Exploit Paths™. Its patented Storylines™ technology can reconstruct historical events, artefacts, and conduct cyber forensics.
Users can generate detailed system and compliance reports straight from its unified dashboard. SentinelOne streamlines compliance audits and helps organizations adhere to the best regulatory standards, such as SOC 2, HIPAA, PCI-DSS, and ISO 27001. Its solutions are supported by a strong community of industry experts and users who share helpful insights.
SentinelOne’s agentless CNAPP delivers holistic security and offers various features such as: Kubernetes Security Posture Management (KSPM), Cloud Workload Protection Platform (CWPP), Cloud Security Posture Management (CSPM), IaC Scanning, SaaS security posture management (SSPM), secrets detection and cloud credentials leakage prevention, External Attack and Surface Management (EASM), vulnerability assessments, CI/CD pipeline scanning, Snyk integration, and more. The platform helps users implement the best DevSecOps practices in organizations and carry out internal and external auditing.
Conclusion
While zero-day attacks appear unstoppable, they also reveal a more profound reality about our evolving cyber world: we shape, and are shaped by, every vulnerability discovered. Real resilience does not stem from using the best technologies but from the ability to shed complacent mindsets. It’s because hackers don’t go after software only, but the people too.
By collaborating across functions, applying rigorous testing, and relentlessly gaining intelligence, we can create digital ecosystems where zero-day attacks are a stimulus, not precursors to chaos.
Invest in proactive defenses, promote a culture of cyber awareness, and start working on your security. Contact SentinelOne to stay on top and defend.
FAQs
What is a Zero-Day Attack?
Zero-day attacks exploit newly discovered software vulnerabilities before developers issue patches. Attackers find these security flaws and create malware or hacking methods within a brief window of vulnerability.
Because defenders have zero days to respond, the damage can spread extremely fast, infecting critical systems, stealing data, or infecting entire networks without being caught immediately.
Why is it called a "Zero-Day" attack?
Vendors and researchers require a warning to patch vulnerabilities. A “zero-day” attack occurs when the clock strikes zero. The attacker exploits the vulnerability before a patch is available or time passes, leaving the vendor with only “zero days” to patch or prepare. This short time constraint puts companies in a dilemma and stresses the need to address these threats.
Who discovers Zero-Day Vulnerabilities?
Anyone can discover zero-day vulnerabilities, from security researchers and white-hat crackers to cybercriminals. Ethical researchers usually inform the vendor so they can release a patch, while threat actors exploit the vulnerability to their advantage.
Government agencies also fund bug-hunting efforts, and their discoveries sometimes remain undisclosed, leading to speculation about covert usage for espionage or spying.
What is the "Zero-Day Market"?
A zero-day market is a commercial marketplace where brokerages can buy exploits from researchers and black hats. It’s used to buy and sell security flaws and conducts illegal activities. It’s the shadowy side of the cybersecurity world and something to watch out for. There is a lack of transparency with trades, and prices may seem unfair.
How Zero-Day Attacks Are Discovered?
Zero-day attack prevention and discovery depend on the vigilance of security teams and anomaly detection tools. Unusual behavior patterns, suspicious data traffic, or user complaints can trigger an investigation.
Security professionals deploy sandboxing, honeypots, and advanced monitoring solutions to catch malicious activity in real time. Sometimes, accidental findings during routine audits reveal zero-day exploits. Disclosing these to vendors can help develop patches quickly before significant damages occur.
Who Are the Main Targets of Zero-Day Attacks?
Major corporations, government agencies, financial institutions, and healthcare providers often top the list of zero-day targets. These entities store sensitive data and maintain critical infrastructure, making them prime objectives for espionage, sabotage, or financial gain.
Small businesses and individual users aren’t immune either; zero-day exploits can spread indiscriminately through software commonly used by all sectors, from operating systems to web applications.
How can individuals stay safe from Zero-Day Attacks?
- Stay vigilant with regular software updates, as patches often address undisclosed vulnerabilities.
- Enable automatic updates where possible.
- Use reputable antivirus and firewalls to monitor and block suspicious activity.
- Practice strong password hygiene and avoid clicking unknown links or downloading files from unverified sources.
Additionally, consider using VPNs on public Wi-Fi networks. Lowering your digital footprint can reduce the chances of falling victim to a zero-day compromise.
How Organizations Respond to Zero-Day Exploits?
Organizations typically deploy rapid response protocols, including isolating affected systems and conducting forensic analysis to pinpoint the breach. They issue emergency patches or direct users to temporary workarounds. Incident response teams collaborate with security researchers, share threat intelligence, and strengthen perimeter defenses. Regular penetration testing also helps discover weaknesses before malicious actors do. Ongoing staff training further builds awareness, minimizing the odds of repeat zero-day intrusions.