12 Worrying Zero-Day Exploit Statistics To Know In 2023

Over 75% of all software/apps have unknown unintentional flaws. If an attacker can secretly take advantage of them, this is known as a zero-day exploit.

Shockingly, it takes about 120 days for developers to identify and fix such security holes. The delay creates an open window that exposes victims to various cyberattacks.

And this barely touches the surface:

Read on for detailed zero-day exploit stats to help you stay vigilant.

Ready? Let’s check them out!


Eye-opening Zero-Day Statistics

Here’s a quick round-up of zero-day exploit facts that deserve your attention:

  • Zero-day exploits grew by 166% in 2021.
  • 36.6% of all zero-day exploits in the last decade happened in 2021. 
  • Zero-day exploits represent 3% of all cybersecurity threats.
  • 76% of applications have unknown vulnerabilities.
  • It takes up to 120 days to patch a zero-day exploit.
  • The average cost of an Android exploit is $2.5 million.
  • Zero-day malware makes up about two-thirds of all malware.

The above is an overview of zero-day threats. Now it’s time to explore the figures up close. 

General zero-day exploit statistics

There’s no software or app that’s free from flaws. Right from release, cybercriminals work round the clock to find vulnerabilities.

And the figures below prove just that:

1. Zero-day exploits grew by 166% in 2021.

(Source: Mandiant)

Data from cybersecurity firm Mandiant shows that zero-day exploits surged by 166% in 2021. Its records indicate the year had 50 more incidents than in 2020.  

It attributes the growth to adopting mobile apps, cloud hosting, and Internet of Things (IoT). This resulted in increased software production, leading to a rise in flaws.

2. 36.6% of zero-day exploits in the last decade happened in 2021. 

(Source: Mandiant)

Close to 40% of zero-day exploits in the last ten years occurred in 2021. Data by Mandiant shows total incidents from 2012 – 2018 tallied 82.

However, from 2019 to 2021 recorded 142 events, far exceeding the previous years combined. As noted earlier, cloud, mobile apps, and IoT technologies drove this growth.

Even more stunning:

3. 76% of applications have vulnerabilities.

(Source: Veracode)

A study involving 130,000 apps revealed 76% of them have vulnerabilities. A further 24% had high-severity flaws that could cause data leaks and credentials theft.

This is due to 97% of developers relying on open-source libraries. They’re known to host codes with unknown and unfixed exploits.

The good news? 

Around 67% of vendors express commitment to fixing the flaws. Still, this indicates about 33% of developers are slacking on security.

But it’s not their fault.

4. It takes up to 120 days to patch zero-day exploits. 

(Source: Microsoft)

Zero-day exploits take around two weeks to be available to the public. From there, software vendors spend 60 to 120 days to fix them.

The delay is due to the time it takes to examine the vulnerabilities. Developers must identify the root causes, potential impacts, and coordinate teams. 

Software patches additionally require thorough testing before pushing updates. Moreover, vendors may require the input of third-party stakeholders, which introduces more delays.

5. Zero-day exploits account for 3% of all cybersecurity threats.

(Source: IBM)

Data gathered by IBM since 1988 reveals zero-day exploits represent 3% of cyber threats. Known vulnerabilities come next at 34% and unexploited ones at 66%.

Of all cases, 1% are critical and 38% have a high threat rating. Those of medium and low risk follow with 50% and 11%, respectively. 

Malware zero-day exploit stats

Zero-day malware refers to tools that hackers create to exploit undisclosed software vulnerabilities. They do this to compromise users before developers discover and patch the flaws.

Yes, you’ve every reason to panic!

6. Zero-day malware comprises two-thirds of all malicious software.

(Source: WatchGuard)

Research by WatchGuard found that 65.6% of new malware includes zero-day exploits. The cybersecurity firm explains the rise to have connection with the COVID pandemic.

Work-from-home policies increased the number of employees connected to the Internet. Accordingly, this motivated hackers to look for software and hardware vulnerabilities. 

And it gets even scarier:

7. 66.7% of zero-day malware evades signature-based protection. 

(Source: WatchGuard)

Almost three-quarters of zero-day malware can evade antivirus protection. They can bypass algorithms that cybersecurity experts use to identify malicious software.

What’s more shocking is 67% of them arrive via encrypted web connections. It implies cybercriminals are increasingly outsmarting hardened security protocols.

Industry-based zero-day exploit facts

Zero-day threats largely revolve around known software vendors. That’s because their products and solutions are popular amongst millions of users.

8. Microsoft, Apple, and Google are the most targeted vendors.    

(Source: Mandiant)

Microsoft, Apple, and Google lead the pack when it comes to zero-day exploits. The tech giants take the lion’s share, attracting 75% of undisclosed vulnerabilities.

Here’s the breakdown (approximates):

  • Microsoft – 30% 
  • Apple – 25% 
  • Others – 25%
  • Google – 21%

The reason behind this is pretty apparent. Their products are widely used.

9. Adobe is no longer a hot target of zero-day exploits.

(Source: Mandiant)

Adobe Inc. is no longer at the for zero-day exploits. It held the second spot from 2012 to 2017 with a 20% share. 

Mandiant attributes the sudden drop to Flash Player’s end-of-life. The software was essential in powering web apps between 1993 to 2020.

Now, as you may imagine zero-day exploits cost a fortune:

Zero-day exploit financial facts

There’s a vast market for zero-day exploits. The hackers that discover undisclosed vulnerabilities can sell them for top dollar.

10. A third of zero-day exploits are financially motivated.

(Source: Mandiant)

Zero-day exploits wouldn’t be that common if they weren’t handsomely rewarded, right?

Mandiant’s study suggests 33% of these attacks are financially motivated. As such, hackers profit by selling their discoveries to any willing buyer.

And it t pays big time!

11. The price of an Android exploit is $2.5 million.

(Source: Zerodium)

Cybersecurity company Zerodium offers mouthwatering bounties for zero-day discoveries. Currently, Android exploits can fetch upwards of $2.5 million.

Apple and iPad (iOS) threats come second with a reward of $2 million. WhatsApp and iMessage immediately follow, attracting a $1.5 million payout. 

Not bad, huh?

Geographical zero-day exploit facts

Some countries also use zero-day exploits to sabotage enemy states.

12. State-sponsored groups dominate zero-day exploitation.

(Source: Mandiant)

China, Russia, and North Korea contribute widely to zero-day exploitation. They’re known to sponsor hackers in deploying large-scale cyber attacks against rival nations.

About 70% of these threats involve spying and stealing military intelligence. The remaining 30% are financially motivated.

Wrap Up

Zero-day exploits are undeniably becoming a headache in the cybersecurity space. Each day, unknown threats emerge, exposing unsuspecting users to cybercriminals.

Corporates and security experts are willing to pay a fortune for such discoveries. It gets worse when you learn that some governments are behind such activities. 

Overall, the above zero-day exploit statistics call for vendors to proactively develop products. They need to conduct rigorous testing to minimize the threats greatly.


What percentage of attacks are zero-day?

Zero-day attacks account for 3% of all cybersecurity threats. Of this number, 40% have devastating effects on the end-users. That’s because it takes around four months to identify and fix the flaws. 

How common are zero-day exploits?

Studies show that about 40% of all zero-day exploits in the last decade occurred in 2021. This shows how increasingly this threat is becoming common.

What is the most famous zero-day exploit?

The most famous zero-day exploit is Stuxnet, discovered in 2010. The malware allows attackers to penetrate and paralyze large-scale industrial control systems. Surprisingly, the United States and Israel once used it to halt Iran’s nuclear program.

Are zero-day attacks increasing?

Yes, they аre. Studies show that there were 82 zero-day attacks in 2021. This is over twice the 30 cases reported in 2020.

What is the latest zero-day vulnerability 2023?

The most recent zero-day vulnerability is the Windows Common Log File System (CLFS). Discovered in 2023, it enables cybercriminals to gain system privileges on target machines. The hackers then use it to deploy ransomware to the victims’ computers.  

What percentage of vulnerabilities are exploitable?

Our zero-day exploit statistics show around 34% of vulnerabilities are exploitable. This leaves out 66% that are unexploitable.


  1. Mandiant
  2. Veracode
  3. Microsoft
  4. IBM
  5. WatchGuard
  6. Zerodium