Vulnerabilities are weaknesses in a system or resource that can be exploited by an attacker. Vulnerabilities may be known, unknown, or newly discovered (zero-day).
Vulnerabilities vary and can run the gamut of defects in a system’s design, implementation, operation or internal control. Often, a vulnerability is not considered a security risk if the target asset is of no value.
The specific tool an attacker uses — software, data, or set of commands — is the exploit. Where an attacker’s tool meets the vulnerability is the attack surface. Known vulnerabilities are ones with at least one documented instance of a deployed, functioning exploit.
Zero-Day is the date when a vulnerability is first discovered, hence zero-day exploits are vulnerabilities that target unknown or unaddressed software vulnerabilities.
“Zero-days are especially dangerous because they are neither known nor newly discovered vulnerabilities. The target typically learns about them from the damage a hacker brings, or at the very least you learn about it from some unflattering Twitter or Reddit thread.”