FAQ

Exploiting a zero-day vulnerability relies on developing a specific exploit, meaning code or a method capable of leveraging the flaw before it is patched. The attacker can integrate it into a booby-trapped document, a website, malware, or a phishing email.

Once the exploit is launched, it can allow the attacker to take control of the system, install a Trojan horse, open a backdoor, or extract data. The particularity of a zero-day exploit is that it evades traditional detection mechanisms because it relies on a weakness that is still unknown to everyone.

A zero-day vulnerability is a security flaw unknown to the manufacturer or publisher of a software, hardware, or system. It is called "zero-day" because the publisher has had zero days to fix the vulnerability at the time it is discovered or exploited. Therefore, it has not yet been the subject of an official patch or public reporting.

These flaws can exist for months, or even years, without being detected. When they are found by cybercriminals or state-sponsored groups, they can be exploited discreetly, making their potential impact very serious.

A CVE (Common Vulnerabilities and Exposures) is a security flaw that has already been identified, documented, and published in an official database. It is known to the public, and generally, patches are in progress or already available. In contrast, a zero-day is a flaw that has not yet been disclosed, and therefore not recorded in a CVE at the time of its discovery.

In other words, any zero-day can become a CVE, but not all CVEs are zero-days. The major risk of a zero-day is precisely that it can be exploited before it is even reported, whereas a CVE is by definition a vulnerability in the process of being addressed or corrected.

A CVE is simply a public declaration that a flaw exists in a given product, while an exploited vulnerability means that an attacker is actively using this flaw to compromise systems. In other words, not all CVEs are exploited in real-world conditions: some may remain theoretical or technical.

Conversely, a vulnerability can be exploited without yet having received a CVE - this is what is called a zero-day. To assess the real danger of a CVE, it is necessary to consult additional information such as the CISA's KEV data or the EPSS score, which indicate whether the flaw is actively used in cyberattacks. This information is available directly from our website CVE Find.

Zero-day vulnerabilities are particularly dangerous because they are unknown to vendors, users, and often traditional security solutions (antivirus, IDS, etc.). This means that there is no fix, no patch, and often no detection or protection mechanism at the time of the attack.

Attackers can therefore exploit them without being detected, often as part of targeted and sophisticated attacks (cyber espionage, sabotage, prolonged access to a system). Their value is so high that some zero-days are resold on the dark web or to government actors for hundreds of thousands of euros.