Yes, several famous zero-day exploits have marked the history of cybersecurity. One of the most well-known is Stuxnet, a malware discovered in 2010, designed to sabotage nuclear centrifuges in Iran. It exploited several zero-day vulnerabilities in Windows, revealing the level of sophistication of certain offensive cyber operations.
Another example: WannaCry, a ransomware that struck hundreds of thousands of computers in 2017, exploited a Windows vulnerability revealed by the Shadow Brokers group. Although a patch had been released just before the attack, many systems were not up to date, showing that patch management remains a weak link. These examples are a reminder of the devastating impact that unpatched vulnerabilities can have.
A pentest can sometimes reveal a zero-day vulnerability, but it is not guaranteed. Pentests primarily rely on known vulnerabilities (CVEs, misconfigurations, risky practices), but it is possible that a manual test, a particular attack logic, or intuition may lead to the discovery of a previously unknown vulnerability.
However, the discovery of zero-days during a pentest remains rare and depends on the depth of the analysis, the experience of the testers, and the complexity of the system being tested. For this reason, some very advanced pentests include fuzzing or code audit phases specifically aimed at finding zero-days, particularly in high-stakes contexts (defense sector, finance, critical infrastructures).
Exploiting a zero-day vulnerability relies on developing a specific exploit, meaning code or a method capable of leveraging the flaw before it is patched. The attacker can integrate it into a booby-trapped document, a website, malware, or a phishing email.
Once the exploit is launched, it can allow the attacker to take control of the system, install a Trojan horse, open a backdoor, or extract data. The particularity of a zero-day exploit is that it evades traditional detection mechanisms because it relies on a weakness that is still unknown to everyone.
A zero-day vulnerability is a security flaw unknown to the manufacturer or publisher of a software, hardware, or system. It is called "zero-day" because the publisher has had zero days to fix the vulnerability at the time it is discovered or exploited. Therefore, it has not yet been the subject of an official patch or public reporting.
These flaws can exist for months, or even years, without being detected. When they are found by cybercriminals or state-sponsored groups, they can be exploited discreetly, making their potential impact very serious.
A CVE (Common Vulnerabilities and Exposures) is a security flaw that has already been identified, documented, and published in an official database. It is known to the public, and generally, patches are in progress or already available. In contrast, a zero-day is a flaw that has not yet been disclosed, and therefore not recorded in a CVE at the time of its discovery.
In other words, any zero-day can become a CVE, but not all CVEs are zero-days. The major risk of a zero-day is precisely that it can be exploited before it is even reported, whereas a CVE is by definition a vulnerability in the process of being addressed or corrected.
Zero-day vulnerabilities are particularly dangerous because they are unknown to vendors, users, and often traditional security solutions (antivirus, IDS, etc.). This means that there is no fix, no patch, and often no detection or protection mechanism at the time of the attack.
Attackers can therefore exploit them without being detected, often as part of targeted and sophisticated attacks (cyber espionage, sabotage, prolonged access to a system). Their value is so high that some zero-days are resold on the dark web or to government actors for hundreds of thousands of euros.