Zero-Day Vulnerability
A software security flaw that is unknown to the vendor β they have had zero days to discover and fix it. The term describes the vendor's preparation time: none. Zero-day vulnerabilities exist in virtually all software; the question is whether they have been found, and by whom. Until discovered and patched, the flaw can be exploited with no defense possible through patching. Zero-day vulnerabilities become known publicly only after a patch is released or through security research disclosure.
Zero-Day Attack / Zero-Day Exploit
An attack that exploits a zero-day vulnerability β one for which no patch or official mitigation exists at the time of the attack. Attackers who discover an unknown vulnerability develop exploit code targeting that specific flaw. Since the vendor has no knowledge of the vulnerability, there is no patch to apply and no official guidance on mitigation. The attack can continue unimpeded until the vendor discovers the issue, develops a fix, and distributes it to affected users β a process that may take days, weeks, or months.
Latent Vulnerability
A security flaw that exists in software but has not yet been discovered by anyone β either defenders or attackers. All software is assumed to contain latent vulnerabilities. The security community and malicious actors are constantly searching for them. When a latent vulnerability is found by a defender, it becomes a reported vulnerability and a patch can be developed. When found by an attacker first, it becomes a zero-day exploit. Latent vulnerabilities are the raw material that zero-day attacks are built from.
CVE (Common Vulnerabilities and Exposures)
A publicly maintained database of disclosed software vulnerabilities, hosted at cve.mitre.org. Each confirmed vulnerability receives a unique CVE identifier (e.g., CVE-2023-12345) along with a standardized description, affected products and versions, severity score, and patch status. CVE entries provide a shared vocabulary for the security community to track, discuss, and prioritize vulnerability remediation. CVE entries are created when vulnerabilities are publicly disclosed β by definition, zero-day attacks occur before or during the window before a relevant CVE entry becomes public.
Sandbox Escape
A type of vulnerability or exploit technique that breaks out of an application's security sandbox β the restricted execution environment designed to limit what the application can access and do. Sandboxes isolate browser tabs, plugins, and untrusted code from the underlying operating system and other applications. A sandbox escape exploit allows code running inside the sandbox to execute in the broader OS context with elevated privileges. Both the April 2023 Chrome zero-day and one of the May 2023 Apple iOS zero-days involved sandbox escapes.
Memory Corruption
A class of software vulnerability in which a program writes data to a memory location in an unintended way β such as a buffer overflow, use-after-free, or heap corruption. Memory corruption vulnerabilities can cause crashes, but attackers can also engineer them to redirect the program's execution to attacker-controlled code. Memory corruption was the underlying flaw in the April 2023 Chrome zero-day, where it was used in combination with a sandbox escape to execute malicious code on the host system.
Arbitrary Code Execution (ACE)
A vulnerability outcome where an attacker can execute any code of their choosing on a target system. Arbitrary code execution is typically the end goal of a complex exploit chain β the final result of leveraging a memory corruption or other flaw to gain control of program execution flow. ACE gives the attacker the ability to install malware, create backdoors, exfiltrate data, or take any other action the compromised process has permissions for. One of the three May 2023 Apple iOS/iPadOS zero-days resulted in arbitrary code execution.
UEFI / Secure Boot
UEFI (Unified Extensible Firmware Interface) is the firmware that initializes hardware before the operating system loads β it is the lowest accessible layer of a computer's software stack. Secure Boot is a UEFI security feature that verifies the digital signature of bootloaders and OS components before allowing them to run, preventing unauthorized code from loading at startup. The May 2023 Microsoft zero-day defeated Secure Boot, allowing an attacker to run self-signed UEFI-level code β enabling persistent firmware-level rootkits that survive OS reinstallation.
Firmware Rootkit
A type of malware that embeds itself at the firmware or UEFI level, below the operating system. Because the OS loads after firmware, a firmware rootkit is invisible to OS-level security tools and survives OS reinstallation β even a complete reformat and clean OS install does not remove it. Firmware rootkits are the deepest, most persistent form of system compromise. The May 2023 Microsoft Secure Boot zero-day enabled attackers to install firmware rootkits by allowing self-signed code to execute during the UEFI boot process.
Vulnerability Disclosure
The process by which a discovered vulnerability is reported and eventually made public. Responsible disclosure (coordinated disclosure): a researcher privately notifies the vendor, gives them time to develop a patch, then publicly discloses once the patch is available. Full disclosure: immediate public release of vulnerability details, which creates pressure on vendors to patch quickly but also immediately arms attackers. Bug bounty programs incentivize responsible disclosure by paying researchers who find and report vulnerabilities. Zero-day attacks occur when attackers find vulnerabilities and disclose to no one β they exploit in silence.
Signature-Based Detection
A security detection method that matches observed activity against a database of known attack patterns (signatures). Antivirus and many SIEM rules use signature-based detection. Signature-based detection is entirely ineffective against zero-day attacks β because the attack has never been seen before, no signature exists for it. This is one of the core reasons zero-day attacks are dangerous: the most widely deployed security tool (antivirus) will show a clean result even on a system that has been actively compromised by a zero-day exploit.
Behavioral Detection / EDR
Behavioral detection identifies threats based on what processes do, rather than what they look like. Instead of matching a known signature, behavioral detection flags anomalous activity: a browser spawning an unexpected child process, a process writing to an unusual memory location, an application making unexpected network connections. EDR (Endpoint Detection and Response) platforms implement behavioral detection on endpoints and are the primary technical tool for detecting zero-day attacks in progress. They cannot block the initial exploit (no signature) but can detect and alert on the post-exploitation behavior.
Defense-in-Depth (Zero-Day Context)
A security strategy that layers multiple independent controls so that failure of any one layer does not result in complete compromise. In the context of zero-day vulnerabilities, defense-in-depth is the primary defense strategy because no single control can prevent a zero-day. Layers relevant to zero-day defense: network segmentation (limits lateral movement after initial compromise), application sandboxing (contains damage if a process is exploited), EDR behavioral monitoring (detects post-exploitation activity without signatures), least privilege (limits what an attacker can do with compromised process credentials), and rapid patch deployment (minimizes exposure window once a patch is available).