Yes, several famous zero-day exploits have marked the history of cybersecurity. One of the most well-known is Stuxnet, a malware discovered in 2010, designed to sabotage nuclear centrifuges in Iran. It exploited several zero-day vulnerabilities in Windows, revealing the level of sophistication of certain offensive cyber operations.
Another example: WannaCry, a ransomware that struck hundreds of thousands of computers in 2017, exploited a Windows vulnerability revealed by the Shadow Brokers group. Although a patch had been released just before the attack, many systems were not up to date, showing that patch management remains a weak link. These examples are a reminder of the devastating impact that unpatched vulnerabilities can have.
A pentest can sometimes reveal a zero-day vulnerability, but it is not guaranteed. Pentests primarily rely on known vulnerabilities (CVEs, misconfigurations, risky practices), but it is possible that a manual test, a particular attack logic, or intuition may lead to the discovery of a previously unknown vulnerability.
However, the discovery of zero-days during a pentest remains rare and depends on the depth of the analysis, the experience of the testers, and the complexity of the system being tested. For this reason, some very advanced pentests include fuzzing or code audit phases specifically aimed at finding zero-days, particularly in high-stakes contexts (defense sector, finance, critical infrastructures).