A zero-day (also written 0day) is a software vulnerability that attackers discover and exploit before the software vendor is aware of it. The name comes from the fact that the developer has had "zero days" to fix the problem.
All software contains bugs. Most are harmless, but some create security holes that allow unauthorized access, data theft, or remote code execution. When a researcher or attacker finds such a flaw before the vendor does, they have several options: report it responsibly (giving the vendor time to patch), sell it on the exploit market, or use it in an attack.
Zero-day exploits are especially dangerous because no patch exists at the time of attack. Traditional security tools that rely on known signatures (like antivirus databases) cannot detect them. Defenders must rely on behavior-based detection, sandboxing, and network anomaly monitoring to catch zero-day activity.
Once a zero-day is publicly disclosed or detected in the wild, the clock starts. The vendor races to release a patch, and attackers race to exploit as many unpatched systems as possible. The window between disclosure and widespread patching is when damage is highest. This is why organizations that apply security updates quickly are significantly less vulnerable.
Zero-days are the most valuable and feared class of vulnerabilities. Nation-state attackers, ransomware groups, and advanced threat actors all prize them. High-profile zero-days in browsers, operating systems, or widely used libraries (like Log4j) can affect millions of systems simultaneously. Staying informed about active threats helps organizations prioritize patching and assess their risk exposure.
The Cyber Threats panel on the TerminalFeed dashboard pulls live data from URLhaus, ThreatFox, and CISA to surface active malware campaigns and indicators of compromise, including those related to zero-day exploitation. For more on monitoring security data, see our browser console guide.