I've been a security researcher for almost half my life (you can guess my age, but the back of the napkin math implies I am old). It used to be that, just a few short years ago, security researchers used to work on a handful of zero-day vulnerabilities, or zero days, a year. How the tide has turned...
The simple definition of a zero-day vulnerability is one that is disclosed to be present and for which there is no vendor patch available. Most of the zero days we would work on then were vulnerabilities that were exploited in the wild and, by a stroke of luck, discovered to be present.
Nowadays though, zero days seem to be a dime a dozen, or almost 3 dozen so far, in 2025. How did we go from 2 a quarter max in 2005 (from memory, albeit of an older person) to 30+ in a quarter?
In 2024, 90 zero days were disclosed. This number does not include the manyfold number of vulnerabilities discovered by researchers worldwide and disclosed to vendors or remediated prior to disclosure. Microsoft has patched 12 zero days so far in 2025, a record of sorts on its own.
The CISA Known Exploited Vulnerabilities (KEV) Catalog is a list of vulnerabilities confirmed to be exploited by attackers. It was originally conceptualized for use by government agencies but is now popular among stakeholders in all domains as a great resource to track exploited vulnerabilities. Attackers even use it, too!
41% of CVEs added to the KEV catalog in 2025 so far are zero days, with more than 30 at the time of writing. If we keep on that same trajectory, we will reach well over 100 by the end of the year.
Not all zero days are equal though. Even if any two zero days have the same Common Vulnerability Scoring System (CVSS) scores, their total impact depends on:
The fact remains that we have a staggering amount of zero days disclosed in 2025, and the number is growing YoY. It makes you wonder, how did we get to these numbers when:
Looking over the state of zero days, several underlying trends indicate why these vulnerabilities continue to plague the security industry.
In many organizations, SDL (Secure Development Lifecycle) is simply not given adequate resources. Even some security vendors don’t grant it the same importance as meeting release demands. At Todyl, we continuously refine our SDL process to maintain proper quality assurance (QA) timelines and ensure validation and compliance before any changes go into our security platform. Periodic penetration testing and package checks support our endeavor for secure development.
Often, public companies are hyper focused on their current quarter’s bottom line. Few track long term costs for security vulnerabilities, especially when it comes to the potential ramifications of a security issue like zero-day vulnerabilities.
Building in SDL from square one adds upfront costs. Over time, however, it is more expensive to fix zero days and vulnerabilities discovered after release. As such, SDL must be a key priority, ensuring as many vulnerabilities as possible are found and fixed before a product is released.
On top of that, more software is being written in our increasingly digital landscape. So, volume plays a role in the number of vulnerabilities. The proliferate use of AI in coding to address this volume only compounds the issues. Despite making coding more accessible, AI-driven “vibe coding” can often contain mistakes that can go unnoticed without proper QA.
And then, given the interconnectedness of the current software landscape including the immense usage of third-party libraries and code, supply chain problems contribute to the amount of zero days. A vendor may inadvertently introduce a zero day into their software, which then affects other solutions that rely on that software. If those vulnerabilities are exploited, attackers can move down the chain to affect those solutions as well, increasing the blast radius and possibilities for more zero days and other vulnerabilities.
Like with all things in cybersecurity, there’s no silver bullets for tackling the zero-day issue we face. That being said, increasing zero-day awareness and building SDL into the collective mindset can help raise the tide in favor of the defenders. Taking the time to evaluate potential exposures before releases helps minimize the possibility of zero days while ultimately saving money spent later trying to address them after they become problems.
Of course, there are many other methods for keeping zero days from affecting your operations, including preventative, layered security programs. But what are your thoughts on the topic? Reach out to me over email, Todyl Community, or contact us to keep the conversation going.
