Zero-Day Attacks Explained

March 18, 2021

What is a Zero-Day Attack?

A zero-day exploit is an unknown security vulnerability or software flaw that a threat actor can target with malicious code. This security hole or flaw, can also be referred to as a zero-day vulnerability.

A zero-day attack occurs when a hacker releases malware to exploit the software vulnerability before the software developer has patched the flaw.

2021 CrowdStrike Global Threat Report

Download the 2021 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.

Download Now

Why are Zero-Day Attacks so dangerous?

Zero-day attacks are extremely dangerous for companies because they’re unknown and can be very difficult to detect, making them a serious security risk. It’s like a thief sneaking in through a backdoor that was accidentally left unlocked.

Learn More

Read our blog post to learn how CrowdStrike Discovered Hurricane Panda Using CVE-2014-4113, a 64-bit Zero-Day Escalation Exploit that wreaked havoc on Windows machines. Read Blog

Zero-day Examples

Generally, when a zero-day vulnerability is discovered it gets added to the Common Vulnerabilities and Exposures (CVE) list. CVE is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities.

The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services) with these definitions. CVE Records are comprised of an identification number, a description, and at least one public reference.

Below are just a few examples of zero-day exploits that were discovered over the past couple of years: 


On August 11, 2020 Microsoft released a security update including a patch for a critical vulnerability in the NETLOGON protocol (CVE-2020-1472) discovered by Secura researchers. Since no initial technical details were published, the CVE in the security update failed to receive much attention, even though it received a maximum CVSS score of 10.

This vulnerability allows an unauthenticated attacker with network access to a domain controller, to establish a vulnerable Netlogon session and eventually gain domain administrator privileges. The vulnerability is especially severe since the only requirement for a successful exploit is the ability to establish a connection with a domain controller.

Read our Zerologon Technical Analysis

NTLM Vulnerability

On June 2019 Patch Tuesday, Microsoft released patches for CVE-2019-1040 and CVE-2019-1019, two vulnerabilities discovered by Preempt (now CrowdStrike) researchers. The critical vulnerabilities consist of three logical flaws in NTLM (Microsoft’s proprietary authentication protocol). Preempt researchers were able to bypass all major NTLM protection mechanisms.

These vulnerabilities allow attackers to remotely execute malicious code on any Windows machine or authenticate to any HTTP server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS. All Windows versions which did not apply this patch are vulnerable.

Learn more about how this vulnerability was discovered

CredSSP Vulnerability

On March Patch Tuesday, Microsoft released a patch for CVE-2018-0886, a vulnerability discovered by Preempt (now CrowdStrike) researchers. The vulnerability consists of a logical flaw in Credential Security Support Provider protocol (CredSSP), which is used by RDP (Remote Desktop Protocol) and Windows Remote Management (WinRM) and that takes care of securely forwarding credentials to target servers.

The vulnerability can be exploited by attackers by employing a man-in-the-middle attack to achieve the ability to run code remotely on previously not infected machines in the attacked network. The vulnerability, in many real-world scenarios where the victim network has vulnerable network equipment, could result in an attacker gaining the ability to move laterally in the victim’s network and even infect domain controllers with malicious software. No attacks have been detected in the wild by Preempt at the time of this original publication.

Read more about the CredSSP vulnerability

Learn More

One of the most well-known zero-day attacks is Stuxnet, the worm believed to be responsible for causing considerable damage to Iran’s nuclear program. This worm exploited four different zero-day vulnerabilities in the Microsoft Windows operating system.

Why is it called Zero Day?

In cybersecurity, the term “Zero-Day” is used because the software vendor was unaware of their software vulnerability, and they’ve had “0” days to work on a security patch or an update to fix the issue.

Once a patch has been released, the vulnerability is no longer called “zero-day.”

Detecting and Defending Against Zero-day Attacks

To effectively detect and mitigate zero-day attacks, a coordinated defense is needed — one that includes both prevention technology and a thorough response plan in the event of an attack. Organizations can prepare for these stealthy and damaging events by deploying a complete endpoint security solution that combines technologies including next-gen antivirus (NGAV), endpoint detection and response (EDR) and threat intelligence.

Since software with vulnerabilities can be in any company’s environment, an attempted breach is inevitable, so it’s essential to have endpoint security with anti-exploit and post-exploit capabilities in place.

To optimize defense, organizations should implement the best prevention technology at the point of attack, while also having a plan for worst-case scenarios. Then, if an attacker is successful in getting into the network, the security team will have the tools, processes and technology in place to mitigate the event before real damage is done.

CrowdStrike Falcon® endpoint protection enables organizations to block zero-day exploits at the point of attack, using machine learning and behavioral analytics. The Falcon platform also includes automatic detection and prevention logic for post-exploitation activities so that security teams can gain immediate visibility into an attack, even if it bypasses other defenses.

Watch the video below to see how the Falcon platform stops a zero-day attack in its tracks:

Falcon not only detects indicators of attack (IOAs), it also includes exploit mitigation technology to prevent the successful exploitation of the underlying operating system. As a result, an adversary is prevented from using common exploitation techniques because the execution of exploit code is stopped at the endpoint, in real time, thereby blocking zero-day attacks that use previously undiscovered malware.

Falcon’s combination of IOA-based prevention technology and exploit mitigation techniques is a powerful defense against unknown, zero-day threats.

To learn more about CrowdStrike® Falcon and request a free trial, click the button below:

Start Free Trial