Understanding and Defending Against Zero-Day Vulnerabilities

Critical Start Cyber Research Unit
June 30, 2026
15 min read
TLP: CLEAR  |  CS-TR-26-0602
CRITICALSTART® Threat Research  •  Understanding and Defending Against Zero-Day Vulnerabilities  •  Critical Start Cyber Research Unit

Executive Summary

A zero-day vulnerability is a security flaw that attackers exploit before the vendor knows it exists and before any patch is available. Defenders cannot remediate what has not been disclosed. That asymmetry defines the problem. In 2025, Google Threat Intelligence Group (GTIG) tracked 90 zero-days exploited in the wild, a 15% increase from 2024, with enterprise technologies targeted at an all-time high of 48% of all tracked exploitation.[1] The mean time to exploit has turned negative: attackers exploit, on average, seven days before a vulnerability is publicly disclosed.[4] The patching model that has anchored enterprise security for two decades has already failed to close this gap.

This research article covers the current exploitation landscape, how zero-days are disclosed and weaponized, the Nightmare Eclipse disclosure events and their implications, three other high-impact vulnerabilities from 2026, the role of artificial intelligence (AI) in accelerating discovery, and what organizations can do when no patch exists.

Introduction

The term "zero-day" originates from software development. A zero-day vulnerability is a flaw the developer has had zero days to prepare a defense for, because it's already being weaponized before the vendor is even aware it exists. Defenders cannot patch what they do not know about, and attackers can operate in this gap for days, weeks, or months before detection.

Zero-days exist across every major software category, including operating systems, browsers, enterprise applications, and edge devices like firewalls and VPN appliances. When researchers or threat actors discover a flaw before the vendor does, it's classified as a zero-day. Once patched, it becomes a known issue, though some organizations remain exposed long after a fix is released.

The global attack surface has expanded considerably with cloud computing, remote work, and complex software supply chains. CVEs published in 2025 reached 48,185, a 20.6% increase over 39,962 in 2024, averaging more than 130 new vulnerabilities daily.[20] The subset actively exploited before a patch exists represents the sharpest end of the threat landscape.

The Zero-Day Vulnerability Lifecycle

Understanding how zero-day vulnerabilities move from initial discovery through to exploitation, disclosure, and eventual remediation helps organizations identify where defensive interventions are possible and, critically, where they are not. The lifecycle is not a linear process: exploitation routinely precedes disclosure, patches arrive after damage is done, and deployment lags extend attacker dwell time well beyond what any severity score anticipates.[1][4][7]

1
Discovery
2
Weaponization
3
Exploitation Window
4
Disclosure
5
Patch Release & Deployment

Discovery

A zero-day begins with a flaw: a coding error, architectural weakness, or logic issue. These aren't always the result of negligence — complex systems involve millions of lines of code, third-party dependencies, and old architectural decisions that didn't anticipate current attack conditions. The flaw is discovered by a researcher, a threat actor, or sometimes both simultaneously.

Researchers typically follow coordinated disclosure, notifying the vendor privately and allowing time for a patch. Threat actors have no such obligation — they begin exploitation immediately, sell the capability, or both. The critical variable is who finds it first and what they do with it.

Weaponization

Once a threat actor identifies a vulnerability, they develop an exploit to achieve remote code execution (RCE), privilege escalation, or unauthorized access. Weaponization speed has accelerated substantially — in Q1 2025, approximately 28% of observed exploits were deployed within 24 hours of CVE disclosure.[9] For true zero-days, weaponization occurs entirely outside the vendor's awareness, with no disclosure, no CVE, and no patch in development.

Exploitation Window

With a weaponized capability, the threat actor executes the exploit against target systems. The most commonly observed MITRE ATT&CK techniques at this stage are Exploit Public-Facing Application (T1190) and Exploitation for Client Execution (T1203).

Once initial access is established, post-exploitation activity begins rapidly: lateral movement, credential access, and data exfiltration typically follow within hours.[4] A critical insight for defenders is that even when the initial exploit is entirely novel, post-exploitation TTPs nearly always map to documented adversary behavior. The initial access vector may be unknown. The subsequent kill chain usually is not. This is the foundation for behavioral detection as a primary compensating control.

This window has grown more dangerous as AI-assisted discovery compresses the time from flaw identification to weaponization. CrowdStrike's 2026 Global Threat Report found that 42% of exploited vulnerabilities were attacked before public disclosure.[7] VulnCheck reported that 32.1% of KEV in H1 2025 had exploitation evidence on or before CVE publication.[2] By 2026, 67.2% of exploited CVEs are zero-days, up from 16.1% in 2018.[8] CVSS scores aren't useful here since the vulnerability isn't yet scored or even identified by the vendor. Network segmentation, behavioral detection, and least-privilege access are not fallback measures — they are the only measures available.

Disclosure

A zero-day enters the public record when discovered by the vendor, reported by a researcher, or identified during incident response. Once disclosed, it gets a CVE identifier, a CVSS score, and evaluation for the CISA KEV catalog.[3] When researchers conclude vendor processes have failed them, some publish proof-of-concept (PoC) code publicly. When a working PoC is published, exploitation risk peaks immediately — automated scanning tools find vulnerable systems within minutes.[25] Disclosure does not mean safety; for many it marks the highest-risk phase.

Patch Release & Deployment

Vendors release patches at varying speeds depending on fix complexity, severity, and release cadence. Organizations prioritizing by CVE age or CVSS score alone risk leaving weaponized vulnerabilities unaddressed. Exploitation-evidence-based prioritization using CISA KEV is more operationally sound.[2] Even with patches available, deployment requires compatibility testing and coordinated downtime; OT/ICS systems may not be patchable without disrupting operations. 50% of critical CISA KEV network-related vulnerabilities remain unpatched 55 days after a fix is released[9] — that's where most successful exploitation occurs post-disclosure. Sometimes no patch arrives at all, as with the Arista EOS zero-day confirmed in June 2026.[26] In those scenarios, compensating controls are the permanent defense.

The lifecycle is not a sequential checklist. Organizations manage vulnerabilities at every stage simultaneously, often without knowing it. Security programs need controls at each stage: reducing attack surface before discovery, behavioral detection during the exploitation window, intelligence-driven triage at disclosure, and evidence-based patch prioritization at deployment.

The Scale of the Zero-Day Problem

The numbers make this concrete. In 2025, 48,185 CVEs were published, a 20.6% year-over-year increase, averaging 133 new vulnerabilities daily.[20] Most vulnerabilities never get meaningfully triaged before the next batch arrives. CISA's KEV catalog reached 1,484 entries after 245 additions in 2025[3] — manageable-looking until placed alongside VulnCheck's finding that 884 CVEs were newly exploited in 2025 alone.[2] CISA captured fewer than 28% of them, leaving organizations relying solely on CISA KEV with a significant blind spot.

The financial stakes are equally stark. Global average data breach cost reached $4.44 million in 2025, with the U.S. averaging $10.22 million per incident, an all-time high.[5] Healthcare breaches averaged $7.42 million; financial services $5.56 million. Average breach lifecycle stood at 241 days from compromise to containment.[5] Against a threat that weaponizes in hours, a 241-day response lifecycle is not a defense.

Defending Against Zero-Days: Why It Is Difficult and Not Impossible

The central challenge is structural. A zero-day by definition has no patch when exploitation begins. Traditional security controls — signature-based antivirus, vulnerability scanners, and patch management programs — are all reactive instruments. They respond to what is already known. Zero-days operate in the space before knowledge is established. The challenge is real. It is not, however, insurmountable. Compensating controls can meaningfully constrain attacker movement even when no patch exists.

The CVSS Problem

Most vulnerability management programs are built around CVSS, a severity metric from 0–10 measuring how bad a vulnerability could be in isolation. What it does not measure is whether a vulnerability is being actively exploited right now.

This creates a dangerous prioritization gap. A CVSS 6.5 flaw actively weaponized and confirmed in CISA's KEV catalog is a more immediate threat than a CVSS 9.8 flaw with no observed exploitation. Prioritizing by score alone deprioritizes dangerous active threats while teams spend cycles on theoretical issues no attacker is using.

The practical fix: supplement CVSS with exploitation evidence. A vulnerability confirmed in CISA KEV, VulnCheck KEV, or active threat intel feeds deserves emergency-tier response regardless of its numeric score.

The Patch Paradox

Even when patches exist, deployment isn't instantaneous — compatibility testing, change windows, and OT/ICS systems that can't go offline all slow things down. 50% of critical CISA KEV vulnerabilities remain unpatched 55 days after a fix is available[9] — that's where most successful post-disclosure exploitation occurs.

The Arista EOS zero-day, actively exploited and confirmed by the vendor in June 2026, illustrates the extreme: Arista publicly stated no patch is planned.[26] When a vendor declines to remediate, compensating controls are the only defense available.

The Detection Gap

Signature-based detection cannot flag what it has never seen. Before a CVE is assigned and signatures updated, behavioral detection is the only viable mechanism. EDR tools monitoring post-exploitation behavior — credential access, lateral movement, privilege escalation — are more valuable against zero-days than tools watching for known files or signatures.

The Collapse of Time to Exploit

Time between disclosure and active exploitation has collapsed at a rate that makes patch cycles obsolete. In 2018, median time to first confirmed exploitation was 771 days. By 2021, 84 days. By 2023, six days. By 2024, five days.[9] In 2025, Mandiant's M-Trends 2026 report documented a mean time to exploit of negative seven days — exploitation observed, on average, a week before public disclosure.[4]

CrowdStrike's 2026 report found 42% of exploited vulnerabilities were attacked before public disclosure.[7] VulnCheck found 32.1% of KEV in H1 2025 had exploitation evidence on or before CVE publication.[2] By 2026, 67.2% of exploited CVEs are zero-days, up from 16.1% in 2018.[8] By the time a patch ships, exploitation is already underway, and by the time the average enterprise deploys it, attackers have had weeks of uncontested access.

When a PoC is published to GitHub alongside disclosure, time to exploitation can be measured in hours. Tools like Shodan and FOFA let even unsophisticated actors find vulnerable systems within minutes of a PoC going public.

The Coordinated Disclosure System and Its Pressures

Coordinated vulnerability disclosure (CVD) has structured the research community for decades: a researcher notifies the vendor privately, allows a reasonable window — typically 90 days, per Google Project Zero — then publishes findings. It works when vendors respond in good faith within agreed timelines.

That norm is under visible strain. Researchers receiving no response, inadequate credit, or legal pressure face a genuine question about following CVD. When that process breaks down, defenders lose the advance warning window. Public PoC repositories must be treated as part of the active threat intel feed — the Nightmare Eclipse events below illustrate what happens when researcher-vendor trust fails.

Zero-Day Vulnerability Trends: 2026 in Review

Nightmare Eclipse: A Case Study in Coordinated Disclosure Failure

Beginning in April 2026 and continuing through the publication of this article, a researcher or group operating under the aliases Nightmare Eclipse and Chaotic Eclipse publicly released eight Windows zero-day exploits across two coordinated campaigns, with working proof-of-concept code.[25] The releases impact Microsoft Defender in the first cluster, and Windows encryption and privilege escalation mechanisms in the second.

The researcher's stated motivation was institutional dissatisfaction with how Microsoft's Security Response Center (MSRC) handled prior responsible disclosure submissions. The first cluster was released as a direct protest after the researcher concluded that MSRC was not acting on reports in good faith.[23] The Nightmare Eclipse events are not primarily a story about malicious actors. They are a story about what happens when the system that is supposed to bridge researcher and vendor breaks down, and the consequences that flow to organizations that had no part in the dispute.

Between April 3 and April 16, 2026, three vulnerabilities impacting Microsoft Defender were released.[22] They represent an attack chain: escalate privileges with BlueHammer or RedSun, then blind the endpoint with UnDefend so that subsequent activity goes undetected. Huntress Labs observed active exploitation of all three beginning April 10, 2026.[24]

The chain in practice: an attacker with a standard user account drops a file engineered to trigger a Defender detection into a user-writable directory. The TOCTOU race in Defender's remediation engine fires, escalating the attacker to SYSTEM. UnDefend is then deployed to freeze Defender's signature updates while reporting the endpoint as healthy to the management console.

Microsoft patched BlueHammer (CVE-2026-33825, CVSS 7.8) in the April 14, 2026 Patch Tuesday release, one week after the PoC dropped.[21] RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) were patched in May 2026. A second wave of five exploits followed in May and June 2026, broadening the attack surface to BitLocker full-disk encryption and core Windows privilege escalation.[25] RoguePlanet and GreatXML, the final two, are absent from Microsoft's May 27, 2026 MSRC blog post,[21] which named the six prior exploits but did not acknowledge these two. Both remain without assigned CVEs at the time of publication.

On May 27, 2026, Microsoft's MSRC team published a statement characterizing the disclosures as putting customers at unnecessary risk and reiterating that uncoordinated disclosures with public PoC code are never justifiable.[21] The post also walked back an earlier threatened legal action against the researcher. The episode illustrates the bidirectional chilling effect of vendor legal pressure: it discourages responsible disclosure by researchers who fear retaliation and can accelerate adversarial disclosure as a countermeasure. Neither outcome serves defenders.

The table below documents all eight exploits with their technical details, CVE assignments where available, and current patch status:

ExploitCVE / ScoreTechnical DescriptionDisclosedPatch Status
Cluster 1: Microsoft Defender Campaign (April 2026)
BlueHammer CVE-2026-33825
CVSS 7.8
Local privilege escalation via a TOCTOU race condition in Microsoft Defender's threat remediation engine. Uses an oplock to pause Defender's file operation, then redirects the privileged write via an NTFS junction point to System32, causing Defender to overwrite a system binary with an attacker payload under SYSTEM privileges. April 2026 Patched April 2026
RedSun CVE-2026-41091
CVSS 7.8
Local privilege escalation. Exploits Defender's cloud file rollback mechanism via a different code path than BlueHammer. Achieves SYSTEM-level code execution on Windows 10, 11, and Server 2019+. Near-100% reported reliability. April 2026 Patched May 2026
UnDefend CVE-2026-45498
CVSS 7.5
Denial-of-service against Defender's signature and engine update pipeline. Passive mode silently blocks definition updates; aggressive mode fully disables Defender. Reports the endpoint as healthy to EDR consoles while degraded. Chained after BlueHammer or RedSun. April 2026 Patched May 2026
Cluster 2: Windows Encryption and Privilege Campaign (May–June 2026)
YellowKey CVE-2026-45585
CVSS 6.8
BitLocker full-disk encryption bypass via Windows Recovery Environment (WinRE) abuse. Physical access enables complete decryption without credentials. Targets default Windows 11 enterprise BitLocker with TPM-only unlock. May 2026 Patched June 2026
GreenPlasma CVE-2026-45586
CVSS 7.8
LPE targeting the Windows CTFMON process, which runs as SYSTEM in interactive sessions. Plants an arbitrary memory section via object manager primitives, then uses registry manipulations to trick CTFMON into SYSTEM-level code execution. Note: partial PoC released, withholding the final SYSTEM shell stage as a CTF challenge — sufficient for a skilled attacker to complete weaponization. May 2026 Patched June 2026
MiniPlasma CVE-2020-17103
CVSS 7.8 (no new CVE)
LPE based on a 2020 Google Project Zero finding (James Forshaw) in the Windows Cloud Files Mini Filter Driver. Uses thread token impersonation and a race condition to write to the SYSTEM account registry hive from an unprivileged context, spawning a full SYSTEM shell. Affects Windows 11 and Server 2022/2025, fully patched as of May 2026. May 2026 Patched June 2026
RoguePlanet CVE-2026-50656
CVSS 7.8
LPE in Microsoft Defender via a TOCTOU race condition in the threat remediation engine, which performs file operations under SYSTEM without sufficient path validation. Escalates an unprivileged user to SYSTEM. Published as a working PoC on GitHub. June 2026 No patch at publication
GreatXML No CVE assigned BitLocker bypass via Windows Defender Offline Scan artifacts. Grants a SYSTEM shell in Recovery Mode without login under documented conditions. Leverages an obscure but common side effect of Defender Offline Scan. Not included in Microsoft's May 2026 MSRC blog post. June 2026 No patch at publication

The MSRC Response and Its Implications

The Nightmare Eclipse campaign illustrates a risk category that CVSS scores and patch management programs are not designed to handle. This was not a scattered series of independent disclosures. It was a researcher who had mapped a specific attack surface in depth, identified systemic weaknesses across multiple components of the Windows security stack, and released tools in deliberate sequence after concluding that the vendor was not acting on reports in good faith.[23] On May 27, 2026, Microsoft's MSRC team published a post titled "A Shared Responsibility: Protecting Customers Through Coordinated Vulnerability Disclosure."[21] It named six of the eight exploits — BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma — characterized the disclosures as putting customers at unnecessary risk, and restated that uncoordinated disclosures with public PoC code are never justifiable. The post confirmed CVE assignments for four of the six. GreenPlasma and MiniPlasma had no CVEs assigned at publication. RoguePlanet and GreatXML were not mentioned.

Earlier, Microsoft had moved to remove the researcher's GitHub account and signaled legal action.[17] Within days, facing significant backlash from the security research community, Microsoft reversed that position and affirmed it would not pursue action against individuals conducting or publishing security research.[17] The episode is instructive: vendor legal pressure, intended as a deterrent, instead accelerated adversarial disclosure. The researcher responded to Microsoft's initial stance by threatening to drop additional exploits — the predictable outcome when the coordinated disclosure system breaks down and neither side has a path to de-escalation.

The eight exploits are not random. Taken together they form a coherent offensive toolkit:

  • Three independent paths to SYSTEM-level privilege escalation on fully patched Windows systems (BlueHammer, RedSun, MiniPlasma, and RoguePlanet)
  • Two methods to bypass BitLocker full-disk encryption with physical access (YellowKey and GreatXML)
  • A tool to blind the primary endpoint protection layer while maintaining a healthy appearance to EDR management consoles (UnDefend)

Organizations should treat the Nightmare Eclipse exploits as an active, ongoing threat rather than a resolved historical event. Two exploits remain unpatched at the time of publication. Public PoC code for all eight is available, indexed, and actively monitored by threat actors. Supplementary EDR coverage capable of detecting Defender bypasses, out-of-band verification of Defender signature versions directly against Microsoft's update feed rather than trusting dashboard health status, and BitLocker supplementary authentication beyond TPM-only unlock are the compensating controls with the most direct mitigating effect.[22]

The practical implication for defenders extends beyond any individual patch: Microsoft's official communications do not represent a complete picture of this campaign. RoguePlanet and GreatXML require independent compensating controls regardless of their absence from the MSRC post. Patch status should always be verified against the Security Update Guide directly, not inferred from the absence of an official acknowledgment.

Other Zero-Days Worth Watching

The Nightmare Eclipse campaign drew significant attention, but the broader 2026 zero-day landscape reflects the same structural pressures across multiple vendors and attack categories:

VulnerabilityDetailsStatus
CVE-2026-50751
Check Point VPN
Authentication bypass in Check Point Remote Access VPN and Mobile Access. Exploited by Qilin ransomware affiliates from May 7, 2026, a full month before public disclosure. CISA issued a 3-day patch deadline for federal agencies.[29] Patched June 2026; CISA KEV
CVE-2026-20245
Cisco SD-WAN
Seventh Cisco Catalyst SD-WAN zero-day exploited in 2026. Allows authenticated attackers with network admin access to execute root commands and push unauthorized configurations to edge devices. No patch at time of disclosure. Patched June 2026; CISA KEV
CVE-2026-35616
FortiClient EMS
Critical unauthenticated remote code execution in Fortinet FortiClient EMS. CVSS 9.8. Exploitation observed from March 31, 2026. Hotfix issued; full patch pending. Added to CISA KEV. Hotfix; full patch pending

Besides these three, June 2026's Patch Tuesday was the largest in Microsoft's recorded history, addressing 198 to 208 CVEs including six zero-days in a single release.[10] Chrome has had at least five actively exploited zero-days patched in 2026 alone.[3] Cisco's Catalyst SD-WAN product line has had about seven zero-days exploited in 2026.[14] The pattern is not isolated incidents. It is sustained, broad-surface exploitation across enterprise infrastructure.

The AI Inflection Point

AI is no longer a theoretical catalyst for zero-day discovery — it's operational. In May 2026, VentureBeat reported that Anthropic's Claude Mythos Preview model had autonomously discovered thousands of zero-day vulnerabilities across major operating systems and browsers.[15] In one campaign targeting OpenBSD across 1,000 scaffold runs, total compute cost was under $20,000.[30] A single brokered zero-day for a major OS can sell for $1 million or more on the gray market — AI has reduced discovery cost by orders of magnitude.

Separately in May 2026, an AI pipeline surfaced over 300 WordPress plugin zero-days in three days at roughly $20 per vulnerability, straining disclosure programs built for a human-paced discovery rate.[16] That assumption has already broken.

The defensive side is also real. Organizations deploying AI and automation in security operations experienced average breach costs of $3.84 million in 2025, versus $5.72 million for those without.[5] But offensive AI is already deployed at scale by well-resourced threat actors, while defensive AI adoption in enterprises remains uneven.

Implications for Organizations

The convergence of AI-accelerated discovery, disclosure system pressures, collapsing time-to-exploit windows, and record vulnerability volumes represents a structural shift in the threat environment, not a temporary spike. Reactive security is no longer sufficient as a primary defense.

The patching model assumes defenders have time to respond to disclosure before exploitation occurs. With mean time to exploit now negative, that assumption no longer holds for a growing share of vulnerabilities. Proactive controls — network segmentation, behavioral detection, and zero trust — limit damage from exploitation that has already occurred.

The vendor-researcher relationship has become a security variable. When that relationship is adversarial, as the Nightmare Eclipse events demonstrate, previously private vulnerability research enters the public domain without warning. Security teams need to treat the research community's posture toward their major vendors as an intelligence signal.

Vulnerability management programs need a volume strategy. With 133 new CVEs per day and only a fraction receiving meaningful exploitation, triaging everything equally is operationally impossible. Exploitation-evidence-based prioritization, informed by multiple KEV sources rather than CVSS scores alone, is the only scalable approach.

AI-assisted discovery changes the economics of zero-day research permanently. The $20 WordPress plugin finding and the Claude Mythos campaign are early signals of a discovery rate the existing disclosure infrastructure wasn't designed to absorb. Organizations should plan for novel vulnerabilities discovered and weaponized faster than any human-paced response can match.

Mitigation and Compensating Controls

No single control eliminates zero-day risk. The goal is to reduce attack surface before exploitation, constrain attacker movement after initial access, and accelerate detection before a breach becomes catastrophic. Recommendations below are ordered by priority:

  1. Prioritize vulnerabilities based on exploitability, not CVSS scores alone. Integrate exploitation evidence into the vulnerability management process and treat vulnerabilities listed in CISA KEV, VulnCheck KEV, or active threat intelligence feeds as emergency-priority issues regardless of their CVSS rating. Establish remediation targets of 24–72 hours for internet-facing systems with confirmed active exploitation.
  2. Treat public proof-of-concept (PoC) releases as incident-level events. When a PoC is published for a vulnerability affecting your environment, immediately initiate incident response procedures. Do not wait for vendor patches before implementing mitigations, as active exploitation often begins within hours of public disclosure.
  3. Strengthen behavioral detection capabilities across the attack lifecycle. Deploy EDR and SIEM controls that focus on post-exploitation behaviors rather than signature-based detection alone. Prioritize monitoring for credential access, privilege escalation, and lateral movement techniques, as these behaviors remain consistent across many zero-day campaigns.
  4. Implement network segmentation and zero-trust access controls. Limit the impact of initial compromise by restricting lateral movement opportunities. Enforce identity verification at every access decision point, apply role-based access controls, and conduct regular privilege reviews to reduce opportunities for escalation.
  5. Establish compensating controls for systems that cannot be patched. Define alternative mitigation strategies for vulnerabilities where patches are unavailable or delayed. These controls should include disabling affected services where feasible, deploying network-layer filtering and inspection, increasing logging levels, and implementing enhanced monitoring of affected assets.
  6. Actively monitor zero-day and vulnerability disclosure sources. Continuously track CISA KEV updates, VulnCheck KEV, vendor security advisories, threat intelligence feeds, and public research repositories such as GitHub. Early awareness of emerging vulnerabilities can provide critical response time before formal CVE assignment or vendor guidance is available.
  7. Maintain and regularly test incident response plans. Develop dedicated playbooks for zero-day scenarios, including procedures for the period between PoC publication and patch availability. Define escalation paths, regulatory notification requirements, and decision-making responsibilities, and conduct regular tabletop exercises to validate readiness and improve execution.

Conclusion

Zero-day vulnerabilities have always been the hardest category of threat to defend against. What has changed in 2026 is the rate, the scale, and the actors involved. Exploitation now routinely precedes disclosure. AI has reduced the cost of discovery to the point where a single campaign can surface thousands of novel vulnerabilities. A single researcher can release six working Windows exploits in under two months, with three of them weaponized the same day they appear on GitHub.

The organizations that will fare best are not those waiting for patches. They are those that have accepted the premise, built behavioral detection, enforced segmentation, adopted exploitation-evidence-based prioritization, and tested their response capability before the call comes. The window is measured in hours. The preparation has to happen before that.

For more threat reports, including H2 2025 detailing trending cybersecurity concerns, visit Critical Start's Intel Hub. This threat research article was written using the best intelligence available at the time and is subject to change as additional information becomes available.


What Critical Start Is Doing

The CRITICALSTART® Cyber Research Unit actively monitors zero-day exploitation activity, tracking newly disclosed vulnerabilities, PoC publications, exploitation evidence, and threat actor activity across the intelligence sources cited in this advisory. CRU works closely with the Security Operations Center (SOC) and Security Engineering team to operationalize relevant detections as new zero-day activity is confirmed. When exploitation evidence is confirmed for vulnerabilities affecting commonly deployed enterprise technologies, CRU issues updated detection guidance through Cyber Operations Risk & Response™ Bulletins.

For future updates on zero-day exploitation trends and specific vulnerability advisories, Critical Start will post updates via Cyber Operations Risk & Response™ Bulletins and on the CRITICALSTART® Intelligence Hub. Organizations with questions about their exposure to vulnerabilities discussed in this advisory are encouraged to engage their Customer Success Manager or reach out via info@criticalstart.com.


Further Reading

  • [1]Google Threat Intelligence Group (GTIG), "Look What You Made Us Patch: 2025 Zero-Days in Review," Mar. 5, 2026. cloud.google.com ↗
  • [2]VulnCheck, "State of Exploitation 2026," Jan. 21, 2026. vulncheck.com ↗
  • [3]CISA, "Known Exploited Vulnerabilities Catalog," accessed Jun. 2026. cisa.gov ↗
  • [4]Mandiant / Google Cloud, "M-Trends 2026: Data, Insights, and Strategies From the Frontlines," Mar. 23, 2026. cloud.google.com ↗
  • [5]IBM Security, "Cost of a Data Breach Report 2025," Jul. 2025. ibm.com ↗
  • [6]Verizon, "2025 Data Breach Investigations Report (DBIR)," Apr. 2025. verizon.com ↗
  • [7]CrowdStrike, "2026 Global Threat Report," Feb. 2026. crowdstrike.com ↗
  • [8]S. Epp, "The Zero Day Clock Is Ticking," Resilient Cyber, Mar. 2026. resilientcyber.io ↗
  • [9]CyberAngel, "Why Time to Exploit Is Collapsing," Jan. 2026. cybelangel.com ↗
  • [10]BleepingComputer, "Microsoft patches YellowKey, GreenPlasma, MiniPlasma zero-days," Jun. 10, 2026. bleepingcomputer.com ↗
  • [11]Security Affairs, "Chaotic Eclipse Unveils RoguePlanet LPE Exploit Targeting Microsoft Defender," Jun. 2026. securityaffairs.com ↗
  • [12]BleepingComputer, "Check Point VPN Zero-Day Exploited by Qilin Before Patch," Jun. 2026. bleepingcomputer.com ↗
  • [13]CyberScoop, "Fortinet FortiClient EMS Zero-Day CVE-2026-35616 Exploited in the Wild," Apr. 2026. cyberscoop.com ↗
  • [14]SecurityWeek, "Cisco Warns of Seventh SD-WAN Zero-Day Exploited in 2026," Jun. 2026. securityweek.com ↗
  • [15]VentureBeat, "Claude Mythos Exposed a Hard Truth: Your Enterprise Patching Process Is Way Too Slow," May 2026. venturebeat.com ↗
  • [16]Help Net Security, "AI Pipeline Finds 300+ WordPress Plugin Zero-Days in Three Days," May 2026. helpnetsecurity.com ↗
  • [17]The Record, "Microsoft Calls Zero-Day Releases 'Never Justifiable' Then Walks Back Legal Threat," May 2026. therecord.media ↗
  • [18]LevelBlue SpiderLabs, "YellowKey and GreenPlasma: Two New Windows Zero-Days Unveiled," May 2026. levelblue.com ↗
  • [19]Infosecurity Magazine, "Zero-Day Exploits Surge: 30% of Flaws Attacked Before Disclosure," Jan. 2026. infosecurity-magazine.com ↗
  • [20]Stingrai Research, "Vulnerability Statistics 2026: CVE, KEV, Time to Exploit," Jun. 2026. stingrai.io ↗
  • [21]Microsoft MSRC, "A Shared Responsibility: Protecting Customers Through Coordinated Vulnerability Disclosure," May 27, 2026. microsoft.com ↗
  • [22]SOCRadar, "BlueHammer, RedSun, and UnDefend: Three Windows Defender Zero-Days Exploited in the Wild," Apr. 2026. socradar.io ↗
  • [23]Cyderes Howler Cell, "RedSun Zero-Day: When Defender Becomes the Delivery Mechanism," Apr. 2026. cyderes.com ↗
  • [24]Startup Defense, "Microsoft Defender Zero-Day Vulnerabilities: 2026 Briefing," Apr. 2026. startupdefense.io ↗
  • [25]Barracuda Networks Blog, "Nightmare-Eclipse: Six Zero-Days, Six Weeks and One Big Grudge," May 2026. blog.barracuda.com ↗
  • [26]SecurityWeek, "No Patch Planned for Exploited Arista EOS Vulnerability," Jun. 2026. securityweek.com ↗
  • [27]Picus Security, "The Return of a Ghost: Unpacking the MiniPlasma Zero-Day Exploit," Jun. 2026. picussecurity.com ↗
  • [28]The Hacker News, "Microsoft Confirms RoguePlanet Defender Zero-Day, Says Patch is in Development," Jun. 2026. thehackernews.com ↗
  • [29]Rapid7, "Critical Check Point VPN Zero-Day Exploited in the Wild (CVE-2026-50751)," Jun. 2026. rapid7.com ↗
  • [30]Anthropic, "Assessing Claude Mythos Preview's cybersecurity capabilities," Anthropic Frontier Red Team, Apr. 2026. anthropic.com ↗

https://security.criticalstart.com/rs/586-OQG-630/images/%5BCS-TR-26-0602%5D Understanding and Defending Against Zero-Day Vulnerabilities 1.pdf?version=0