Executive Summary
A zero-day vulnerability is a security flaw that attackers exploit before the vendor knows it exists and before any patch is available. Defenders cannot remediate what has not been disclosed. That asymmetry defines the problem.
In 2025, Google Threat Intelligence Group tracked 90 zero-days exploited in the wild, a 15% increase from 2024, with enterprise technologies targeted at an all-time high of 48% of all tracked exploitation. The mean time to exploit has turned negative: attackers exploit, on average, seven days before a vulnerability is publicly disclosed. The patching model that has anchored enterprise security for two decades has already failed to close this gap.
This research article covers the current exploitation landscape, how zero-days are disclosed and weaponized, the Nightmare Eclipse disclosure events and their implications, three other high-impact vulnerabilities from 2026, the role of artificial intelligence in accelerating discovery, and what organizations can do when no patch exists.
Introduction
The term "zero-day" originates from the software development world. A zero-day vulnerability is a security flaw for which the developer has had zero days to prepare a defense, because the vulnerability is already being weaponized before the vendor is even aware it exists. This asymmetry is the defining characteristic of the threat: defenders cannot patch what they do not know about, and attackers can operate in this gap for days, weeks, or even months before detection.
Zero-day vulnerabilities exist across every major software category, including operating systems, web browsers, enterprise applications, and network edge devices such as firewalls and VPN appliances. When security researchers or threat actors discover a flaw before the vendor does, the flaw is classified as a zero-day. Once a patch is publicly available, the vulnerability becomes a known issue, though a subset of organizations will remain exposed long after a fix is released.
The global attack surface has expanded considerably with the growth of cloud computing, remote work infrastructure, and complex software supply chains. The number of CVEs published in 2025 reached 48,185, a 20.6% increase over 39,962 published in 2024, averaging more than 130 new vulnerabilities every single day. Within that volume, the subset actively exploited before a patch exists represents the sharpest end of the threat landscape.
The Zero-Day Vulnerability Lifecycle
Understanding how zero-day vulnerabilities move from initial discovery through to exploitation, disclosure, and eventual remediation helps organizations identify where defensive interventions are possible and, critically, where they are not. The lifecycle is not a linear process: exploitation routinely precedes disclosure, patches arrive after damage is done, and deployment lags extend attacker dwell time well beyond what any severity score anticipates.
Discovery
A zero-day vulnerability begins with a flaw: a coding error, architectural weakness, or logic issue introduced during software development. These are not always the result of negligence. Complex software systems involve millions of lines of code, third-party library dependencies, and architectural decisions made years earlier that may not have anticipated current attack conditions. The flaw is discovered either by a security researcher, a threat actor, or in some cases simultaneously by both.
Researchers who discover flaws typically follow coordinated disclosure practices, notifying the vendor privately and allowing time for a patch before any public release. Threat actors who find the same flaw have no such obligation. They will begin exploitation immediately, sell the capability on the private market, or both. The critical variable at this stage is who finds it first and what they do with it.
Weaponization
Once a threat actor identifies a vulnerability, they develop an exploit: code or a technique engineered to abuse the flaw and achieve a target objective such as remote code execution, privilege escalation, or unauthorized access to protected resources. This is the weaponization stage. The flaw becomes an operational capability.
Weaponization speed has accelerated substantially. In Q1 2025, approximately 28% of observed exploits were deployed within 24 hours of CVE disclosure. For true zero-days, weaponization occurs entirely outside the vendor's awareness, with no disclosure, no CVE, and no patch in development.
Exploitation Window
With a weaponized capability, the threat actor executes the exploit against target systems. The most commonly observed MITRE ATT&CK techniques at this stage are Exploit Public-Facing Application (T1190) and Exploitation for Client Execution (T1203).
Once initial access is established, post-exploitation activity begins rapidly: lateral movement, credential access, and data exfiltration typically follow within hours. A critical insight for defenders is that even when the initial exploit is entirely novel, post-exploitation TTPs nearly always map to documented adversary behavior. The initial access vector may be unknown. The subsequent kill chain usually is not. This is the foundation for behavioral detection as a primary compensating control.
This window has grown structurally more dangerous as AI-assisted discovery compresses the time from flaw identification to weaponization. CrowdStrike's 2026 Global Threat Report found that 42% of exploited vulnerabilities were attacked before public disclosure. VulnCheck reported that 32.1% of Known Exploited Vulnerabilities in H1 2025 had exploitation evidence on or before the day their CVE was published. By 2026, 67.2% of exploited CVEs are classified as zero-days, up from 16.1% in 2018.
During this window, CVSS scores are not a useful prioritization tool because the vulnerability has not yet been publicly scored or in many cases even identified by the vendor. Compensating controls, including network segmentation, behavioral detection, and least-privilege access, are not fallback measures here. They are the only measures available.
Disclosure
A zero-day enters the public record when it is discovered independently by the vendor, reported by a researcher, or identified by a security organization during incident response. Once disclosed, the vulnerability receives a CVE identifier from MITRE, a CVSS severity score, and is evaluated for inclusion in the CISA Known Exploited Vulnerabilities catalog.
When researchers conclude that vendor processes have failed them, some choose to publish proof-of-concept code publicly. When a working PoC is published, the exploitation risk peaks immediately: automated scanning tools allow threat actors to identify and target vulnerable systems within minutes. Disclosure does not mean safety. For many organizations, it marks the beginning of the highest-risk phase.
Patch Release and Deployment
Vendors develop and release patches at varying speeds depending on the complexity of the fix, the severity of the vulnerability, and their internal release cadence. Organizations that prioritize patching based solely on CVE age or CVSS score risk leaving actively weaponized vulnerabilities in their environment while addressing lower-priority issues. Exploitation-evidence-based prioritization, using CISA KEV and supplementary sources, is a more operationally sound approach.
Even when patches exist, deployment is not instantaneous. Enterprise environments require compatibility testing, change management windows, and coordinated downtime. In OT and ICS environments, systems may not be patchable without disrupting critical operations entirely. Analysis found that 50% of critical CISA KEV network-related vulnerabilities remain unpatched 55 days after a fix becomes available. That 55-day window is where the majority of successful exploitation occurs after disclosure.
In some cases, no patch arrives at all. A vendor may decline to remediate a confirmed exploited vulnerability, as occurred with an Arista EOS zero-day confirmed in June 2026. In those scenarios, compensating controls are not a stopgap. They are the permanent defense.
The Scale of the Zero-Day Problem
In 2025, 48,185 CVEs were published, a 20.6% year-over-year increase, averaging 133 new vulnerabilities every single day. Security teams cannot keep pace with that volume. The CISA Known Exploited Vulnerabilities catalog reached 1,484 entries after 245 additions in 2025. VulnCheck found that 884 CVEs were newly exploited in 2025 alone. CISA captured fewer than 28% of them. Organizations relying solely on the CISA KEV catalog for patch prioritization have a significant blind spot.
The financial stakes are equally stark. The global average cost of a data breach reached $4.44 million in 2025, with the United States averaging $10.22 million per incident, an all-time high. Healthcare breaches averaged $7.42 million; financial services $5.56 million. The average breach lifecycle stood at 241 days from initial compromise to full containment. Against a threat that weaponizes in hours, a 241-day response lifecycle is not a defense.
Defending Against Zero-Days: Why It Is Difficult and Not Impossible
The central challenge is structural. A zero-day by definition has no patch when exploitation begins. Traditional security controls — signature-based antivirus, vulnerability scanners, and patch management programs — are all reactive instruments. They respond to what is already known. Zero-days operate in the space before knowledge is established. The challenge is real. It is not, however, insurmountable.
The CVSS Problem
Most vulnerability management programs are built around the Common Vulnerability Scoring System, a standardized severity metric ranging from 0 to 10. CVSS measures how bad a vulnerability could be in isolation: its attack vector, complexity, required privileges, and potential impact. What it does not measure is whether a vulnerability is being actively exploited in the wild right now.
This creates a dangerous prioritization gap. A vulnerability scored CVSS 6.5 that is actively weaponized and confirmed in CISA's KEV catalog is a more immediate threat than a CVSS 9.8 flaw with no public exploit code and no observed exploitation. Prioritizing by severity score alone means some of the most dangerous active threats get deprioritized while teams spend cycles on theoretical high-severity issues that no attacker is currently using.
The practical fix: supplement CVSS with exploitation evidence. A vulnerability confirmed in CISA KEV, VulnCheck KEV, or active threat intelligence feeds deserves emergency-tier response regardless of its numeric score. A low CVSS score does not mean low risk when exploitation is confirmed.
The Patch Paradox
Even when patches exist, deployment is not instantaneous. Enterprise environments involve compatibility testing, change management windows, coordinated downtime, and in OT or ICS environments, systems that cannot be taken offline without disrupting critical operations. Analysis found that 50% of critical CISA KEV vulnerabilities remain unpatched 55 days after a fix becomes available. That 55-day gap is where most successful post-disclosure exploitation occurs.
The Arista EOS zero-day, actively exploited and confirmed by the vendor in June 2026, illustrates the extreme end of this problem: Arista publicly stated that no patch is planned. When a vendor declines to remediate a confirmed exploited vulnerability, compensating controls are not optional. They are the only defense available.
The Detection Gap
Signature-based detection tools cannot flag what they have never seen. During the zero-day exploitation window, before a CVE is assigned and before vendor signatures are updated, behavioral detection is the only viable mechanism. EDR tools monitoring for post-exploitation behavior, credential access, lateral movement, and privilege escalation are more valuable against zero-days than tools watching for known malicious files or network signatures.
The Collapse of Time to Exploit
The time between public disclosure and active exploitation has collapsed at a rate that makes traditional patch cycles structurally obsolete. In 2018, the median time from disclosure to first confirmed exploitation was 771 days. By 2021, it had compressed to 84 days. By 2023, six days. By 2024, an average of five days. In 2025, Mandiant's M-Trends 2026 report documented a mean time to exploit of negative seven days, meaning exploitation was observed, on average, a week before the vulnerability was publicly disclosed.
CrowdStrike's 2026 Global Threat Report found that 42% of exploited vulnerabilities were attacked before public disclosure. VulnCheck reported that 32.1% of Known Exploited Vulnerabilities in H1 2025 had exploitation evidence on or before the day their CVE was published. By 2026, 67.2% of exploited CVEs are classified as zero-days, up from 16.1% in 2018. By the time a patch is released, exploitation is already underway. By the time the average enterprise deploys that patch, the attacker has had weeks of uncontested access.
When a proof-of-concept is published to GitHub alongside a disclosure, the time to exploitation can be measured in hours. Automated scanning tools such as Shodan and FOFA allow even unsophisticated actors to identify vulnerable systems across the internet within minutes of a PoC becoming public.
The Coordinated Disclosure System and Its Pressures
Coordinated vulnerability disclosure is the norm that has structured the security research community for decades. A researcher discovers a flaw, notifies the vendor privately, allows a reasonable window — typically 90 days, as codified by Google Project Zero — for a patch to be developed, and then publishes findings publicly. The model works when vendors respond in good faith and within agreed timelines.
That norm is under visible strain. Researchers who submit vulnerability reports and receive no response, inadequate credit, or legal pressure face a genuine question about the incentive to follow coordinated disclosure. When that process breaks down, defenders lose the advance warning window that coordinated disclosure is designed to provide. Public PoC repositories must therefore be treated as part of the active threat intelligence feed, not a separate research channel.
Zero-Day Vulnerability Trends: 2026 in Review
Understanding how zero-day vulnerabilities move from initial discovery through to exploitation, disclosure, and eventual remediation helps organizations identify where defensive interventions are possible and, critically, where they are not. The life cycle is not a linear process: exploitation routinely precedes disclosure, patches arrive after damage is done, and deployment lags extend attacker dwell time well beyond what any severity score anticipates. In accordance with public research and vulnerability trends observed across major threat intelligence sources [1][4][7], this article maps the zero-day lifecycle across five stages, as illustrated in the Critical Start lifecycle diagram below.
Nightmare Eclipse: A Case Study in Coordinated Disclosure Failure
Beginning in April 2026 and continuing through the publication of this article, a researcher or group operating under the aliases Nightmare Eclipse and Chaotic Eclipse publicly released eight Windows zero-day exploits across two coordinated campaigns, with working proof-of-concept code. The releases impact Microsoft Defender in the first cluster, and Windows encryption and privilege escalation mechanisms in the second.
The researcher's stated motivation was institutional dissatisfaction with how Microsoft's Security Response Center handled prior responsible disclosure submissions. The Nightmare Eclipse events are not primarily a story about malicious actors. They are a story about what happens when the system that is supposed to bridge researcher and vendor breaks down, and the consequences that flow to organizations that had no part in the dispute.
Between April 3 and April 16, 2026, three vulnerabilities impacting Microsoft Defender were released. They represent an attack chain: escalate privileges with BlueHammer or RedSun, then blind the endpoint with UnDefend so that subsequent activity goes undetected. Huntress Labs observed active exploitation of all three beginning April 10, 2026.
The chain in practice: an attacker with a standard user account drops a file engineered to trigger a Defender detection into a user-writable directory. The TOCTOU race in Defender's remediation engine fires, escalating the attacker to SYSTEM. UnDefend is then deployed to freeze Defender's signature updates while reporting the endpoint as healthy to the management console.
Microsoft patched BlueHammer (CVE-2026-33825, CVSS 7.8) in the April 14, 2026 Patch Tuesday release, one week after the PoC dropped. RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) were patched in May 2026. A second wave of five exploits followed in May and June 2026, broadening the attack surface to BitLocker full-disk encryption and core Windows privilege escalation. RoguePlanet and GreatXML, the final two, remain without assigned CVEs at the time of publication.
On May 27, 2026, Microsoft's MSRC team published a statement characterizing the disclosures as putting customers at unnecessary risk and reiterating that uncoordinated disclosures with public PoC code are never justifiable. The post also walked back an earlier threatened legal action against the researcher. The episode illustrates the bidirectional chilling effect of vendor legal pressure: it discourages responsible disclosure by researchers who fear retaliation and can accelerate adversarial disclosure as a countermeasure. Neither outcome serves defenders.
The eight exploits form a coherent offensive toolkit:
Organizations should treat the Nightmare Eclipse exploits as an active, ongoing threat rather than a resolved historical event. Two exploits remain unpatched at the time of publication. Public PoC code for all eight is available, indexed, and actively monitored by threat actors.
The practical implication for defenders extends beyond any individual patch: Microsoft's official communications do not represent a complete picture of this campaign. RoguePlanet and GreatXML require independent compensating controls regardless of their absence from the MSRC post. Patch status should always be verified against the Security Update Guide directly, not inferred from the absence of an official acknowledgment.
Other Zero-Days Worth Watching
Beyond Nightmare Eclipse, the broader 2026 landscape reflects the same structural pressures across multiple vendors and attack categories:
CVE-2026-50751 — Check Point VPN: Authentication bypass in Check Point Remote Access VPN and Mobile Access, exploited by Qilin ransomware affiliates from May 7, 2026, a full month before public disclosure. CISA issued a 3-day patch deadline for federal agencies. Patched June 2026; added to CISA KEV.
CVE-2026-20245 — Cisco SD-WAN: The seventh Cisco Catalyst SD-WAN zero-day exploited in 2026. Allows authenticated attackers with network admin access to execute root commands and push unauthorized configurations to edge devices. No patch at time of disclosure. Patched June 2026; added to CISA KEV.
CVE-2026-35616 — FortiClient EMS: Critical unauthenticated remote code execution in Fortinet FortiClient EMS. CVSS 9.8. Exploitation observed from March 31, 2026. Hotfix issued; full patch pending. Added to CISA KEV.
June 2026's Patch Tuesday was the largest in Microsoft's recorded history, addressing 198 to 208 CVEs including six zero-days in a single release. Chrome has had at least five actively exploited zero-days patched in 2026 alone. Cisco's Catalyst SD-WAN product line has had approximately seven zero-days exploited in 2026. The pattern is not isolated incidents. It is sustained, broad-surface exploitation across enterprise infrastructure.
The AI Inflection Point
Artificial intelligence is no longer a theoretical catalyst for zero-day discovery. It is an operational one. In May 2026, Anthropic's Claude Mythos Preview model autonomously discovered thousands of zero-day vulnerabilities across major operating systems and browsers. In one documented campaign targeting OpenBSD across 1,000 scaffold runs, the total compute cost was under $20,000. For context, a single commercially brokered zero-day for a major operating system can sell for $1 million or more on the gray market. AI has reduced the cost of zero-day discovery by orders of magnitude.
A separate development from May 2026: an AI pipeline surfaced over 300 WordPress plugin zero-days in three days at approximately $20 per vulnerability, straining global coordinated disclosure programs that were not designed to absorb that discovery rate. The disclosure infrastructure that researchers and vendors rely on assumes a human-paced discovery rate. AI-assisted discovery has already broken that assumption.
The defensive side of AI is also real. Organizations deploying AI and automation in security operations experienced average breach costs of $3.84 million in 2025, compared to $5.72 million for those without. AI-assisted detection, automated triage, and behavioral anomaly identification are measurable cost reducers. The gap, however, is that offensive AI is already deployed at scale by well-resourced threat actors, while defensive AI adoption in enterprises remains uneven.
Implications for Organizations
The convergence of AI-accelerated discovery, disclosure system pressures, collapsing time-to-exploit windows, and record vulnerability volumes represents a structural shift in the threat environment, not a temporary spike. Reactive security is no longer sufficient as a primary defense.
The patching model assumes defenders have time to respond to disclosure before exploitation occurs. With mean time to exploit now negative, that assumption no longer holds for a growing share of vulnerabilities. Proactive controls — network segmentation, behavioral detection, and zero trust — limit damage from exploitation that has already occurred.
The vendor-researcher relationship has become a security variable. When that relationship is adversarial, as the Nightmare Eclipse events demonstrate, previously private vulnerability research enters the public domain without warning. Security teams need to treat the research community's posture toward their major vendors as an intelligence signal.
Vulnerability management programs need a volume strategy. With 133 new CVEs per day and only a fraction receiving meaningful exploitation, triaging everything equally is operationally impossible. Exploitation-evidence-based prioritization, informed by multiple KEV sources rather than CVSS scores alone, is the only scalable approach.
Mitigation and Compensating Controls
No single control eliminates zero-day risk. The goal is to reduce the attack surface before exploitation, constrain attacker movement after initial access, and accelerate detection before the breach becomes a catastrophe. The following recommendations are ordered by operational priority:
Conclusion
Zero-day vulnerabilities have always been the hardest category of threat to defend against. What has changed in 2026 is the rate, the scale, and the actors involved. Exploitation now routinely precedes disclosure. AI has reduced the cost of discovery to the point where a single campaign can surface thousands of novel vulnerabilities. A single researcher can release six working Windows exploits in under two months, with three of them weaponized the same day they appear on GitHub.
The organizations that will fare best are not those waiting for patches. They are those that have accepted the premise, built behavioral detection, enforced segmentation, adopted exploitation-evidence-based prioritization, and tested their response capability before the call comes. The window is measured in hours. The preparation has to happen before that.
For more threat reports, visit the CRITICALSTART Intelligence Hub.
What Critical Start Is Doing
The CRITICALSTART Cyber Research Unit actively monitors zero-day exploitation activity, tracking newly disclosed vulnerabilities, PoC publications, exploitation evidence, and threat actor activity across intelligence sources. CRU works closely with the Security Operations Center and Security Engineering team to operationalize relevant detections as new zero-day activity is confirmed. When exploitation evidence is confirmed for vulnerabilities affecting commonly deployed enterprise technologies, CRU issues updated detection guidance through Cyber Operations Risk & Response Bulletins.
For future updates on zero-day exploitation trends and specific vulnerability advisories, Critical Start will post updates via Cyber Operations Risk & Response Bulletins and on the CRITICALSTART Intelligence Hub. Organizations with questions about their exposure to vulnerabilities discussed in this advisory are encouraged to engage their Customer Success Manager or reach out via info@criticalstart.com.
