Zero-Day Attacks Explained

March 18, 2021

What is a Zero-Day Vulnerability?

A zero-day vulnerability is an unknown security vulnerability or software flaw that a threat actor can target with malicious code. The term “Zero-Day” is used because the software vendor was unaware of their software vulnerability, and they’ve had “0” days to work on a security patch or an update to fix the issue.

Generally, when a zero-day vulnerability is discovered it gets added to the Common Vulnerabilities and Exposures (CVE) list. CVE is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities.

The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services) with these definitions. CVE Records are comprised of an identification number, a description, and at least one public reference.

What is a Zero-Day Exploit?

A zero-day exploit is the technique or tactic a malicious actor uses to leverage the vulnerability to attack a system.

What is a Zero-Day Attack?

A zero-day attack occurs when a hacker releases malware to exploit the software vulnerability before the software developer has patched the flaw. Zero-day attacks are extremely dangerous for companies because they’re unknown and can be very difficult to detect, making them a serious security risk. It’s like a thief sneaking in through a backdoor that was accidentally left unlocked.

2021 CrowdStrike Global Threat Report

Download the 2021 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.

Download Now

Zero-Day Examples

Below are just a known vulnerabilities that were discovered over the past couple of years: 

Kaseya Attack

On Friday, July 2, REvil ransomware operators managed to compromise Kaseya VSA software, used to monitor and manage Kaseya customer’s infrastructure. REvil ransomware operators used zero-day vulnerabilities to deliver a malicious update, compromising fewer than 60 Kaseya customers and 1,500 downstream companies, according to Kaseya’s public statement. Read On>

SonicWall VPN Vulnerability

On Feb. 4, 2021, SonicWall’s Product Security Incident Response Team (PSIRT) announced a new zero-day vulnerability, CVE-2021-20016, that affects its SMA (Secure Mobile Access) devices. Within the documentation, SonicWall stated this new vulnerability affects the SMA 100 series product, and updates are required for versions running 10.x firmware. SonicWall did not state if or how this newest exploit affects any older SRA VPN devices still in production environments. Read more>

MSRPC Printer Spooler Relay (CVE-2021-1678)

On Patch Tuesday, January 12, 2021, Microsoft released a patch for CVE-2021-1678, an important vulnerability discovered by CrowdStrike® researchers. This vulnerability allows an attacker to relay NTLM authentication sessions to an attacked machine, and use a printer spooler MSRPC interface to remotely execute code on the attacked machine.


On August 11, 2020 Microsoft released a security update including a patch for a critical vulnerability in the NETLOGON protocol (CVE-2020-1472) discovered by Secura researchers. Since no initial technical details were published, the CVE in the security update failed to receive much attention, even though it received a maximum CVSS score of 10.

This vulnerability allows an unauthenticated attacker with network access to a domain controller, to establish a vulnerable Netlogon session and eventually gain domain administrator privileges. The vulnerability is especially severe since the only requirement for a successful exploit is the ability to establish a connection with a domain controller.

Read our Zerologon Technical Analysis

NTLM Vulnerability

On June 2019 Patch Tuesday, Microsoft released patches for CVE-2019-1040 and CVE-2019-1019, two vulnerabilities discovered by Preempt (now CrowdStrike) researchers. The critical vulnerabilities consist of three logical flaws in NTLM (Microsoft’s proprietary authentication protocol). Preempt researchers were able to bypass all major NTLM protection mechanisms.

These vulnerabilities allow attackers to remotely execute malicious code on any Windows machine or authenticate to any HTTP server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS. All Windows versions which did not apply this patch are vulnerable.

Learn more about how this vulnerability was discovered


One of the most well-known zero-day attacks is Stuxnet, the worm believed to be responsible for causing considerable damage to Iran’s nuclear program. This worm exploited four different zero-day vulnerabilities in the Microsoft Windows operating system.

Protect Against Zero-day Attacks

To effectively detect and mitigate zero-day attacks, a coordinated defense is needed — one that includes both prevention technology and a thorough response plan in the event of an attack. Organizations can prepare for these stealthy and damaging events by deploying a complete endpoint security solution that combines technologies including next-gen antivirus (NGAV), endpoint detection and response (EDR) and threat intelligence.

Since software with vulnerabilities can be in any company’s environment, an attempted breach is inevitable, so it’s essential to have endpoint security with anti-exploit and post-exploit capabilities in place.

To optimize defense, organizations should implement the best prevention technology at the point of attack, while also having a plan for worst-case scenarios. Then, if an attacker is successful in getting into the network, the security team will have the tools, processes and technology in place to mitigate the event before real damage is done.

CrowdStrike Falcon® endpoint protection enables organizations to block zero-day exploits at the point of attack, using machine learning and behavioral analytics. The Falcon platform also includes automatic detection and prevention logic for post-exploitation activities so that security teams can gain immediate visibility into an attack, even if it bypasses other defenses.

Watch the video below to see how the Falcon platform stops a zero-day attack in its tracks:

Falcon not only detects indicators of attack (IOAs), it also includes exploit mitigation technology to prevent the successful exploitation of the underlying operating system. As a result, an adversary is prevented from using common exploitation techniques because the execution of exploit code is stopped at the endpoint, in real time, thereby blocking zero-day attacks that use previously undiscovered malware.

Falcon’s combination of IOA-based prevention technology and exploit mitigation techniques is a powerful defense against unknown, zero-day threats.

To learn more about CrowdStrike® Falcon and request a free trial, click the button below:

Start Free Trial