Until recently, zero-day vulnerabilities seemed like exotic artifacts from the world of special operations and espionage . Now they’re a common tool for hacking corporate networks, and not just because attacks have increased. The main change is speed: from the first warning signs to actual exploitation, sometimes only a few hours can pass.
This picture is depicted in the ForeScout Labs 2025 H1 Threat Review: according to this report, the number of zero-day attacks increased by 46% in the first half of 2025. While security teams once considered a lag of days between the publication of a vulnerability and the appearance of exploits in the field to be normal, today this lag has shrunk to hours, and sometimes even less.
This growth doesn’t appear to be a random fluctuation. Experts attribute it to a “perfect storm”: increasing software complexity, expanding supply chains, growing dependencies, and accelerating attacks thanks to artificial intelligence . Systems are becoming so complex that secure development can’t keep pace, and bugs are becoming increasingly difficult to detect during routine testing .
At the same time, the commercial market for zero-days has also exploded: vulnerabilities that allow privilege escalation, authentication bypassing, or account compromise have become highly sought-after commodities. Both criminal groups and nation-state-affiliated buyers are competing for these discoveries, especially when it comes to accessing clouds, identity platforms, and industrial infrastructure.
Artificial intelligence, the researchers report , has accelerated almost the entire cycle: automated fuzzing, finding exploitable bugs, and generating proof-of-concepts reduce the time from detection to production deployment. What previously required specialized skills is now more accessible and quicker to perfect, even for less experienced attackers.
The attack surface is ever-expanding. More devices, more edge and IoT devices, more legacy systems , and therefore more places to find vulnerabilities .
Attackers are increasingly moving beyond browsers and workstations, exploring unconventional targets such as IP cameras and industrial equipment. These devices provide a convenient and stealthy base for further network movements, a scenario that is increasingly common in ransomware attacks and targeted operations.
Old components, such as file systems, drivers, and network stacks , remain fertile ground for new discoveries. Geopolitical tensions are fueling demand for zero-day exploits, as reconnaissance groups are highly motivated to search for and accumulate unknown vulnerabilities.
Even the tactics themselves are changing. Targeted operations are increasingly giving way to “industrialized exploitation,” where zero-day attacks are merely a starting point. Attackers are therefore building a chain of supply chain compromises, credential theft, lateral movement, and privilege escalation. Instead of relying on a single flaw, they combine multiple vectors to gain privileged access more reliably.
For defense professionals, this is an unpleasant mathematical problem . Some vulnerabilities are exploited within hours of public disclosure, especially when it comes to edge systems or ubiquitous devices. The window for applying patches or workarounds has almost expired, and the usual “update released, we’ll deploy it as scheduled” approach no longer holds true. While initial penetration may take minutes, the attacker’s “lifespan” within the network extends for months.
Defenses must be implemented as if an unknown vulnerability could be exploited almost instantly. Emphasis is placed on models such as zero trust and mitigating measures at the identity, endpoint, application, and network levels that slow down attackers even before a patch is available. Least privilege, segmentation, and continuous account verification are becoming increasingly important to prevent the spread of attacks. A shift from “intermittent” to continuous practices is necessary, with a focus on containment, segmentation, and behavioral detection.
There’s good news: observability has increased in recent years. Telemetry is shared more frequently, and vulnerability disclosure processes and vendor reporting have matured.
But this isn’t enough to thwart attackers’ adaptation. The most dangerous blind spot is identity: zero-day exploits often appear as legitimate logins with real credentials . Without adequate logging, behavioral baselines, and privilege controls, attackers can remain invisible. Furthermore, blind spots persist in supply chains, firmware, unmanaged devices , and shadow SaaS services. IoT, edge, OT, and legacy systems are often poorly monitored, and patches are applied slowly or not at all, so attacks can remain undetected for long periods.
Overall, this doesn’t look like a short-term spike, but rather a sign of a changing landscape.
The old assumption that there’s a window of opportunity to respond between a vulnerability and its widespread exploitation is no longer valid. Organizations are forced to build their defenses based on the unfortunate assumption that unknown vulnerabilities will be exploited, and the goal of defense is not only to quickly fix them, but also to prevent a breach from becoming a chain reaction.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
