Zero-day vulnerabilities: how to manage what you cannot patch

A zero-day is a vulnerability for which no vendor patch exists at the time of discovery. The 2024 CitrixBleed 2 (CVE-2025-5777) and the 2024 Ivanti Connect Secure chain (CVE-2024-21887 + CVE-2024-46805) are recent examples that defenders learned about only as exploitation began. CISA publishes the Known Exploited Vulnerabilities catalog (KEV) listing CVEs with confirmed in-the-wild abuse — many were zero-days when they entered the catalog and remained widely unpatched for weeks.

The first line of defense is reducing exposure. Inventory and remove anything internet-facing that does not need to be. Edge devices — VPN concentrators, firewalls, file transfer appliances such as MOVEit, Citrix NetScaler, Fortinet, Ivanti — account for a disproportionate share of recent zero-day exploitation. If a device must be exposed, place it behind a reverse proxy with per-source rate limiting and authentication, and restrict the management interface to a jump host on a separate VLAN.

Virtual patching buys time when no vendor patch exists. Web Application Firewalls (Cloudflare, AWS WAF, ModSecurity with the Coraza engine) and intrusion prevention systems (Palo Alto Threat Prevention, Cisco Firepower, open-source Suricata with Emerging Threats rules) accept signatures within hours of public exploit detail. Subscribe to commercial threat intel — Mandiant, Recorded Future, Group-IB — or open-source feeds — Shadowserver, MISP communities — and propagate IOCs through your detection stack within minutes of receipt.

EDR and behavior-based detection close the rest of the gap. Even an unknown exploit must perform recognizable post-exploitation: spawning a shell from a web server process, dumping LSASS, or beaconing to new infrastructure. Tune your EDR rules against MITRE ATT&CK and validate with Atomic Red Team scripts. Maintain a documented emergency change process to apply mitigations in hours rather than days, and rehearse it quarterly. The teams that survive zero-days are not the ones with magical foreknowledge but the ones who can react in two hours rather than two weeks.