What Is a Zero-Day and Why It Matters for Everyone

Most people hear the term zero-day and assume it's only relevant to big tech companies or spy agencies. Zero-days affect everyone more than you'd think. They turn up in phones, laptops, routers, apps and the cloud tools that we all use. Understanding what they are makes it easier to see why software updates appear at the worst possible moments and why the concern is not just for security people.

A zero-day vulnerability is a flaw in software or hardware that attackers find before the vendor even knows it exists. It's called zero-day because the vendor has had zero days to fix it. You'll see it written a few different ways: zero day, zero-day, 0-day, 0day, and pronounced as "zero day" or "oh day". They all mean the same thing: an unknown, unpatched flaw that attackers are likely already using.

Because there's no patch available, attackers tend to move fast once they discover these bugs. Once a vendor catches on and pushes out an update, it's not technically a zero-day anymore, and becomes an n-day. The thinking is that the bug has been known for n days, so attackers start hunting for anyone who hasn't bothered updating yet. These older bugs can stay dangerous for months if people or businesses are slow with patches.

Zero-days show up in more places than most people realise. Operating systems like Windows, macOS, iOS and Android all have them. Browsers like Chrome and Edge get hit. Network gear like home routers, Wi-Fi access points and NAS boxes can have them too. They appear in cars, smart TVs, payment systems and the online tools small businesses depend on to keep things running. When a flaw exists in something used by millions of people, attackers only need a fraction of them to skip updates for it to be worthwhile.

There have been plenty of zero-days in recent years that affected regular users. A bunch of Android zero-days in Google's December 2025 update had already been exploited before patches came out, and many of those devices were standard Samsung and Pixel phones you'd see anywhere in NZ. Messaging apps, PDF readers and browser extensions have all had their own zero-days, often exploited through something as basic as opening a dodgy file or clicking through to a compromised website. Router vulnerabilities have let attackers take over home and business networks remotely, without any indication that devices have been compromised.

This matters for reasons beyond the technical side. When a zero-day is being actively used, the usual safety nets don't work. Antivirus software struggles to pick it up. Firewalls might not block it. Attackers can get into devices quietly and steal data, track what people are doing or drop more malware. Businesses risk having customer info stolen or their operations disrupted. Regular people can lose access to personal photos, online banking, emails or social media accounts. A single unpatched phone or laptop can also become an entry point into a company network, which is why attackers often go after individuals first.

Zero-days are valuable to criminals because they provide a reliable edge. They don't need someone to fall for a phishing email if they can exploit a device directly. That's why organised groups and spyware developers throw serious time and money into finding them. Once they've got a working exploit, they'll use it until patches start rolling out and people update. After that, the vulnerability shifts from a zero-day to an n-day, and attackers look for anyone slow to patch.

The best defence is keeping everything updated. That means phones, laptops, work computers, browsers, routers and smart devices. Anything connected to the internet needs regular updates. It also means switching on automatic updates wherever you can so patches install quickly. For businesses, having a system for tracking which devices are running outdated software is crucial, because attackers will always go after the weakest link.

Zero-days might sound like something that only matters to enterprises or governments, but they affect real people every day. Modern life runs on software we don't see, on devices we depend on for work, banking, communication and everything else. When a patch shows up, it's not an annoyance. It's often the fix for an invisible problem that someone, somewhere, has already worked out how to exploit.