By Ling Cheng (Marketing Director)
Did you know that current methods for managing software vulnerabilities still carry the risk of recalls? This is because many vulnerabilities’ details remain undisclosed or are only officially revealed after long delays. This gap makes it impossible to defend systems against attacks that exploit zero-day vulnerabilities.
What are zero-day vulnerabilities?
A zero-day vulnerability is a hidden, high-risk threat that attackers can exploit before it is widely known. If a zero-day attack occurs unexpectedly and no solution is available, companies might face costly recalls and serious reputational damage. For example, an OEM was forced to recall 1.4 million vehicles and incurred a US$105 million fine following an attack.
Dealing with a zero-day vulnerability can be highly challenging, with the threat stemming from three key scenarios:
- Attackers know about the vulnerability, but no one else does.
- Attackers know about the vulnerability, and only a small group of insiders or dark web users are aware of it.
- Attackers know about the vulnerability, but the affected company remains completely unaware.
What does this mean? Since zero-day vulnerabilities are unknown, there are no solutions available. As a result, zero-day attacks have a high success rate, posing a significant risk to companies that could lead to devastating consequences.
Zero-day vulnerabilities are a real and growing threat
At the inaugural edition of VicOne and Trend Zero Day Initiative™ (ZDI)’s Pwn2Own Automotive vulnerability discovery contest, held in 2024, researchers uncovered 49 zero-day vulnerabilities in just three days — more than the total found in all of 2023. Noteworthy discoveries included vulnerabilities that could:
- Allow attackers to inject or drop malicious CAN messages, potentially leading to car theft or unauthorized control over critical vehicle functions.
- Allow attackers to execute a remote code execution (RCE) attack, potentially leading to a takeover of the vehicle communication system.
- Allow attackers to remotely control charging systems, potentially leading to overload of the power grid or damage to chargers and vehicles.
At the 2025 edition of Pwn2Own Automotive, another 49 zero-day vulnerabilities were discovered by researchers over three days.
Yet, these high-risk vulnerabilities are not included in the National Vulnerability Database (NVD). Due to the closed nature of the automotive industry, many vulnerabilities’ details are not reported to the NVD, let alone their details disclosed, leaving security gaps hidden from public awareness. Focusing solely on known vulnerabilities is no longer enough to address the evolving risks in today’s software-defined vehicle (SDV) ecosystem.
Figure 1. The current most commonly used method for handling software security risks
Integrating zero-day vulnerability intelligence
In contrast to vulnerability management platforms that narrowly address known open-source vulnerabilities only, VicOne’s xZETA offers superior visibility into zero-day, undisclosed, and known vulnerabilities, Common Weakness Enumeration (CWE), advanced persistent threats (APTs),* and ransomware.* Our threat intelligence surpasses the National Vulnerability Database (NVD) by 189%, providing a wider spectrum of detection coverage.
Figure 2. VicOne’s xZETA offers the best coverage with 189% more visibility than the NVD.
At VicOne, we fully understand the critical impact that zero-day vulnerabilities can have on the automotive industry. This is why we employ proactive yet comprehensive strategies — including AI-powered zero-day identification research, dark web monitoring, vulnerability acquisition and intelligence sharing, and automotive vulnerability discovery contests — to uncover and address these threats. These efforts reinforce our automotive cybersecurity solutions leadership and unwavering commitment to securing connected vehicles in an ever-evolving threat landscape.
*Patent pending
