What Are Zero-Day Exploits, and Why Are They So Dangerous in 2026?

Zero-day exploits are software vulnerabilities attackers discover before anyone can create a fix.  

They’re dangerous because you can’t defend against threats you don’t know exist.  

On June 25, 2025, something terrifying happened.  

A Google researcher discovered attackers were actively exploiting a Chrome zero day vulnerability. 

The flaw, tracked as CVE-2025-6554, affected Chrome’s V8 JavaScript engine. 

It allowed attackers to execute code on devices, just by getting people to visit a malicious site. No special action was needed; simply visiting the site was enough to execute the code. 

And here’s the scary part: Chrome, the world’s most popular browser, experienced eight (8) zero days in 2025. All were classified as high severity (CVSS scores of 8.5 and up). 

Nation state groups like REvil are fond of zero days. They exploited a 0-day vulnerability in Kaseya’s RMM (remote monitoring & management) software to distribute ransomware to MSPs AND their clients in 2021. 

In a single coordinated strike on the Friday before Independence Day, REvil brought 1,500 businesses to a standstill. 

REvil wanted $70 million in exchange for a universal decryption key, the largest ransom demand in history at the time.  

Here’s the thing that connects both attacks: People using software with flaws no one knew existed. 

So, if the people who built your software can’t protect you from zero-day exploits, what chance do you have? 

The answer may surprise you. But first, you need to know what you’re up against. 

What is a zero-day exploit? 

A zero-day exploit is specially crafted code or a technique an attacker uses to weaponize a discovered vulnerability in a target system.  

Think about that for a moment. 

Before a zero-day is discovered, developers don’t know it exists, and neither do you.  

The term “zero day” means exactly what it sounds like: Vendors have no patches for true 0-days i.e. they had ZERO DAYS to fix the problem before attackers started using it to break into systems. 

Until they’re detected in the wild, 0-day vulnerabilities can’t be patched. 

And these vulnerabilities exist in every piece of software you use, from browsers to mobile apps. 

 Why should you care about zero-day exploits?

Zero-day exploits don’t discriminate. The 2025 Chrome 0-days didn’t care if you were: 

• A teen browsing Instagram, Discord, or Snapchat 

• A professional networking on LinkedIn 

• An employee using a SaaS app 

• An entrepreneur tracking expenses in QuickBooks or FreshBooks 

• A retiree managing investments in Coinbase 

• A parent shopping on Amazon 

Everyone using Chrome faced the exact same risk. 

And here’s what makes 0-day exploits even more dangerous:  

• Your vendor doesn’t know about it. You can’t really “prepare” for a 0-day. Vendors like Microsoft, Google, or Apple must often reverse engineer from exploit code captured from the wild to develop fixes. 

• Attackers sell them to each other. A premium-tier 0-day exploit can sell for up to $200,000 in Dark Web markets.  

Meanwhile, high-end exploits for mobile or browser vulnerabilities can reach millions. Case in point: Full iOS exploit chains now fetch $2 million, and Android exploit offerings have surged by 1,150%, priced anywhere from $200,000 to $2.5 million. 

 

Nation states buy 0-day exploits for espionage, and criminal groups use them for ransomware attacks. 

 

This leaves you facing: 

• Identity theft

• Drained accounts

• Fallout – such as damaged credit - from loans taken out in your name 

If you’re a business owner, the risks multiply with: 

• Intellectual property theft

• Disrupted operations from ransomware infections 

• Loss of trust & reduced sales from reputational damage 

• Regulatory fines from data breaches 

If you’re a consumer, expect to spend considerable time recovering your good name and stolen funds.  

According to the ITRC Consumer Impact report, more than 20% of people lost $100,000 - $1 million+ from identity theft in 2025.  

This led to a 20-percentage point increase in thoughts of suicide. 

And if you’re an entrepreneur, the losses are equally stunning: 53% of your peers lost $250,000 to $1 million due to identity crimes in 2025. 

Now it’s clear why 0-day exploits matter. 

What are some real-world examples of zero-day exploits in action? 

CVE-2021-30116 and CVE-2025-6554 (2025) are prime examples of zero-day exploits in action. 

By now, you may be thinking, “I’m too small. Why would attackers target me?” 

CVE-2021-30116

That’s exactly what 1,500 thought before REvil (also known as Sodinokibi) hit them in the 2021 Kaseya attack. 

According to Jon DiMaggio, Chief Security Strategist at Analyst1 and author of the Art of Cyberwarfare, nation-state actors use zero-day exploits more than any other attacker.  

With 40,000 global organizations on its client list, Kaseya was an attractive target for information gathering and as a revenue stream. 

According to the New York Times, Coop, one of Sweden’s biggest grocery chains, had to close 800 stores while systems were being restored. 

A Swedish railway and major pharmacy chain, kindergartens in New Zealand, and public administration offices in Romania had also been affected.  

High-visibility targets like Coop elevate REvil’s notoriety. The group is known for posting victim shaming lists on dark web sites to escalate embarrassment and force payments. 

Fred Voccola, Kaseya’s then CEO, admitted that MSPs were highly targeted victims.  

Which prompted John Hammond, a security researcher from Huntress Labs to sound the alarm: 

“What makes this attack stand out is the trickle-down effect, from the managed service provider to the small business...Kaseya handles large enterprise all the way to small businesses globally, so ultimately, it has the potential to spread to [businesses of] any size.”

Even if you think your business isn’t important enough, remember that you’re part of a supply chain. 

Who do you do business with? What SaaS platforms do your employees use? What vendors have access to your network? 

You’re connected to multiple organizations, and every single one is a potential entry point.  

And here’s the scary part: Most of your peers have absolutely no idea they’re vulnerable until it’s too late. 

*Kaseya later confirmed multiple zero-day vulnerabilities were exploited. They highlighted CVE-2021-30116 but provided no further details about the others. Security researchers at Huntress Labs and TrueSec, however, identified two more possible zero-days: a cross-site scripting vulnerability and an SQL injection vulnerability* 

CVE-2025-6544 

Now, let’s get back to CVE-2025-6544 and look at what happened. 

June 25, 2025: Google’s Threat Analysis Group (TAG) discovers attackers are actively exploiting a flaw in Chrome’s V8 JavaScript engine. 

June 26, 2025: Google pushes out an emergency configuration change as a temporary fix. 

June 30, 2025: Google releases the full security patch. 

July 2, 2025: CISA adds the 0-day vulnerability to its catalog of known exploited vulnerabilities, warning that it poses significant risks to businesses. 

Notice something? From discovery to official warning: seven (7) days. 

But here’s the critical question: How long were attackers exploiting the vulnerability before Google discovered it? 

No one knows. 

And that’s not all: According to the Infosec Institute, the average organization takes 60-150 days to actually APPLY the patches across their systems after the patches are released. 

This leaves a massive window for attackers to continue exploiting the vulnerability.  

But this isn’t just a Chrome problem. Firefox, Safari, and Edge have all been targeted.  

Understanding how an attack unfolds can help you see where you’re vulnerable and what you can do about it. 

How do zero-day exploits work? 

Zero-day exploits operate within the zero-day lifecycle by delivering customized payloads that exploit unpatched vulnerabilities. It’s important to understand each stage of this life cycle. 

Stage 1: Discovery 

An attacker finds a security flaw. They identity this flaw through: 

• Systematic code analysis 

• Reverse engineering 

• Automated testing methods like fuzz testing 

These flaws exist because software is written by humans, and humans make mistakes. The flaw or vulnerability may “sit” for months or years before anyone finds it.  

Stage 2: Weaponization 

Discovering a vulnerability is just the beginning. Now the attacker must create the exploit code. 

This isn’t simple. 

It takes technical knowledge to: 

• Figure out how to trigger the vulnerability reliably 

• Create custom payloads or shellcode that will run once the vulnerability is exploited 

• Test the exploit to ensure it works across different systems 

• Package everything to deliver to target victims 

This phase requires skill and time. That’s why sophisticated zero-day exploits fetch hundreds of thousands of dollars to millions on Dark Web forums. 

Stage 3: Exploitation 

Now comes the question: How do you get someone to trigger the exploit? 

Attackers use various delivery methods: 

• Drive-by downloads: Visit a compromised site without doing anything else, and code will run in your browser, exploiting a vulnerability to infect your system. 

• Phishing emails: Click an infected link or attachment in an email, and voila, malicious code will run and infect your device. 

• Supply chain attacks: This is what happened with Kaseya. Attackers compromised VSA servers and pushed malicious updates to client systems. The exploit came through a trusted source, which made it especially effective. 

• Watering hole attacks: Attackers use web injections that redirect target users to infected sites embedded with 0-day exploits.  

In 2021, Microsoft’s Threat Analysis Group reported on watering hole attacks targeting visitors to pro-democracy Hong Kong websites. The watering hole exploited a 0-day vulnerability in macOS Catalina, which led to the installation of a backdoor. 

 

Stage 4: In-the-wild use 

Now, the attacker is actively using the exploit against you. This phase can last for days, weeks, or even months before anyone realizes what’s happening. 

In the REvil attacks on Kaseya, the attackers deployed PowerShell scripts to disable Microsoft Defender and then used legitimate Windows utilities to execute malicious code. 

This living-off-the-land approach evaded detection by mimicking normal system behavior. 

In this stage, the attackers may also establish C2 communications with a server they control.  

Stage 5: Detection & disclosure 

Eventually, someone notices something’s wrong. 

Maybe it’s a security analyst on your team, an antivirus vendor, or a researcher. Once the vulnerability is detected, it gets assigned a CVE identifier and becomes public knowledge.  

Google discovered CVE-2025-6544 was being exploited on June 25, 2025, and immediately began working on a fix.  

Stage 6: Patching & remediation 

Now there’s a race against time. 

The vendor works frantically to release a patch.  

Google pushed out an emergency mitigation for CVE-2025-6544 on June 26, 2025, and released the full patch on June 30, 2025, an impressively fast response. 

But here’s where things get complicated. Just because a patch is released doesn't mean everyone installed it immediately. Businesses with 2,000 to 5,000 employees often take at least 39 days to patch. 

And if you’re a smaller business, you face especially high barriers that make quick patches prohibitive: 

• Maybe you have limited staff to test patches before deploying them company-wide.  

• Maybe you’re in a regulated industry, where patches require rigorous formal reviews, approvals, and documentation (because mistakes can lead to massive safety or legal consequences). This process consumes time and resources. 

This is why you see waves of attacks after major vulnerabilities are disclosed. The bad guys know most people haven’t patched yet, and they take full advantage of it.   

And here’s another consideration. 

If your team lacks real-time visibility into assets, your challenge isn’t so much patching but responding appropriately. 

For example, Shadow AI and unmanaged SaaS tools often fall through the cracks. Even if a SaaS vendor patches quickly, your team must still answer these questions:  

• Which teams use this tool?  

• What data is stored there? 

• Do we have integrations that rely on it?  

• Do we need to rotate credentials or revoke tokens?  

• What about data exposure? 

This is where a lack of visibility becomes painful. 

Stage 7: Window of vulnerability 

This is the critical period from when the vulnerability is first exploited, and patches are widely deployed. 

Understanding the 0-day exploit lifecycle shows you where your defenses need to focus: You can’t protect what you don’t know exists. This is why you need layered defenses like SaaS Monitoring, Zero Trust, and behavioral threat detection (more on this below). 

Why are zero-day attacks becoming more common? 

2025 was a breakout year for zero-day exploits. According to Cybernews, three key factors are driving this trend: 

• Your attack surface has exploded: Think about the growth in smartphone, IoT device, cloud storage, and app usage. If you’re doing business, add POS & CRM software and collab tools. Each app, API, and IoT tool is a potential entry point. 

• Crime pays: As mentioned, 0-day exploits fetch a pretty penny on the Dark Web. And they’ve now inspired an uptick in 0-day exploit brokers like Advanced Security Solutions, a new Arab Emirates startup paying $5 to $20 million for exploits.  

The startup claims it pays “researchers” for exclusive 0-days and then resells to “authorized” intelligence and law enforcement agencies for cyber operations.  

 

Critics say this gray market exploit trade delays patches, but proponents argue it boosts allied defenses. Ominously, the startup is keeping mum on who’s actually behind the company – and its customers.  

 

And since there’s no public evidence of brokers refusing sales to rogue nations, this “ask me no questions, and I’ll tell you no lies” gray market may actually be financing future 0-day attacks. 

• Automation is feeding the growth: The time between vulnerability discovery and active exploitation keeps shrinking. LLM orchestration means even low-skilled attackers can reduce the exploitation time from days to minutes. 

Zero-day attack detection and prevention: How can you protect yourself from zero-day attacks? 

To protect yourself from zero-day attacks, you need both reliable security practices and SaaS visibility. 

Action #1: Stop relying on traditional security alone

Conventional antivirus solutions will likely fall short, but these practices can help reduce your attack surface. 

• Endpoint detection & response (EDR) tools like Sentinel One, Microsoft Defender for Endpoint, and CrowdStrike Endpoint Security are industry-recommended for zero-day exploit detection. They are also relatively affordable for smaller businesses (~$6-$16 per endpoint monthly).  

• Browser isolation technology, like what Menlo Security offers, is a powerful choice. It executes all web content in a secure cloud environment, preventing zero-day exploits from ever reaching your endpoints.  

• Zero Trust architecture means assuming everything is hostile until proven otherwise. Full Zero Trust implementation can take anywhere from 6-18 months. 

• Network segmentation ensures a breach in one area doesn’t compromise everything. A realistic budget for a secure network with proper segmentation – that's fast, reliable, and compliant – can run from $5,000 to $15,000. 

But here’s the brutal reality: Zero-day exploits are rarely the end goal. 

Nation state attackers use zero days for revenue generation, potential future sabotage, and geopolitical advantage.  

• Ransomware payments support rogue nuclear weapons programs, missile development, and military munitions for war. Revenues also fund more zero days. 

• With access to sensitive systems, attackers gain a foothold for future acts of sabotage. A key focus is on critical services like water, energy, emergency services, and transportation. 

• Small businesses are strategic assets that allow nation states to pivot to bigger targets. Once inside your system, the attackers steal credentials to access third-party resources. This poses a severe risk, especially if you work in defense, manufacturing, or utilities. 

Action #2: Deploy LastPass SaaS Monitoring for SaaS visibility

The question isn’t whether you’ll face a zero-day attack. 

The question is whether you’ll detect the credential abuse and data exfiltration that follows. 

Netflix’s Zero Day series hit a raw nerve last year. The prospect of a cyber-attack targeting the national grid - plunging entire cities into darkness and bringing life to a standstill - is a very real fear.  

As the movie depicts, high-profile zero-days often have state backing.  

And if you’re in the supply chain of larger targets, your business becomes collateral in the war: Attacks involving credential compromise linger undetected far longer than others, taking more than 292 days to identify and contain. 

That’s 292 days of systemic compromise and silent theft. 

While you go about your days unaware, believing your business is secure. 

Here’s the bottom line: You can’t protect what you can’t see. LastPass SaaS Monitoring gives you the visibility you need, mapping your entire SaaS attack surface. 

SaaS Monitoring lets you see who is using which apps, how frequently, and where potential security risks exist.   

Most importantly: 

• You know what your SaaS inventory is, and you have centralized identity management.  

• You can mandate MFA for all third-party apps to add an extra barrier against unauthorized access. 

• Best of all, you can easily deploy SaaS Monitoring via the LastPass browser extension. This is one-click, low-friction deployment, requiring no extra agents or complex integrations.  

• You can configure policy actions (Allow, Warn, Block) in minutes. 

Full SaaS visibility and centralized identity controls let you quickly verify zero-day affected apps, rotate credentials, and secure access as soon as the vendor releases a patch. 

With LastPass SaaS Monitoring, you can act quickly and decisively without the need to hire more staff – all at a price that makes sense for your business.  

*To try LastPass SaaS Monitoring for yourself, get your free Business Max trial now (no credit card required) *

Sources 

CISA adds one known exploited vulnerability to catalog

NIST CVE-2025-6554 detail

The Hacker News: Chrome Zero-Day CVE-2025-6554 under active attack. Google issues security update

Cybersecurity News: Chrome Zero-Day vulnerabilities exploited in 2025 – A comprehensive analysis

Menlo Security Chrome Zero-Day: Why browser security is no longer optional

Palo Alto Networks: What is a zero day attack?

IBM: What is a zero-day exploit?

Fortinet: What is a zero-day attack?

Analyst1: A history of REvil

ANY.RUN REvil report

The New York Times: Hundreds of businesses, from Sweden to U.S., affected by cyberattack  

Cornell University: The Elderwood project

Jon Dimaggio: The Art of Cyberwarfare: An Investigator's Guide to Espionage, Ransomware, and Organized Cybercrime

Tenable: CVE-2021-30116: Multiple Zero-Day Vulnerabilities in Kaseya VSA Exploited to Distribute REvil Ransomware