llustration représentant un hacker ciblant des systèmes via des failles connues, comme des mots de passe faibles et le phishing, plutôt que des exploits zero-day.
Risk Management

Why attackers don't need zero-day exploits to compromise your IS

Publié le
31 March 2025
Restez connectés aux idées qui comptent
Recevez nos émissions en avant-première, accédez aux coulisses des débats, et rejoignez les professionnels qui façonnent l’écosystème Cyber, Tech et Défense.
S’inscrire à la newsletter

When we talk about computer attacks, the collective imagination spontaneously turns to highly technical threats. We think of zero-day exploits, complex chains of vulnerabilities, and targeted attacks of rare sophistication. However, in the vast majority of cases, that is not where the incidents start.

In the real world, The attackers prefer simpler paths, less expensive, often based on negligence that has been known and documented for a long time. And that is precisely what makes them effective. Incident reports published by public actors such as ANSSI or private actors such as Verizon or Mandiant converge on the same observation: the majority of compromises exploit accessible vectors. These are weak passwords, unupdated software, services exposed without control, or user behavior hijacked by social engineering. In other words, banal, but sufficient flaws.

“Let's take a concrete example: phishing.”

This method does not require any technical exploits or system vulnerabilities. It is based solely on human interaction, often made possible by a lack of vigilance or overconfidence. An email, an attached document, or a trapped link are enough to initiate a compromise.

Likewise, known but unpatched vulnerabilities remain a prime target. It is not uncommon to see infrastructures compromised via CVEs published several months or even years ago. This delay in the application of patches is exploited methodically, on a large scale, by actors with very varied profiles: cybercriminal groups, APTs, opportunistic botnets.

In addition, there are poorly segmented environments, systems exposed unnecessarily to the Internet, and the lack of privilege control. All of these elements facilitate lateral movements, the elevation of privileges, or persistence. There's nothing spectacular about them, but they're incredibly effective when combined.

“The appeal for zero-day exploits is often based on an illusion of rarity and extreme danger.”

These flaws exist, of course, and some are daunting. But they are seldom needed. For an attacker, it is much more profitable to exploit an already public vulnerability on an outdated system, than to rely on a vulnerability that is expensive to develop or acquire.

This observation should question the way in which organizations design their security. A defensive posture is more than just detecting sophisticated threats. Above all, it is based on basic hygiene: asset inventory, vulnerability management, update policy, robust authentication, access control and user awareness.

Until these fundamentals are mastered, attackers will not need technical innovations to achieve their goals.

Restez connectés aux idées qui comptent
Recevez nos émissions en avant-première, accédez aux coulisses des débats, et rejoignez les professionnels qui façonnent l’écosystème Cyber, Tech et Défense.
S’inscrire à la newsletter
NOUS SUIVRE
Entrez en relation avec Riskintel
* Champs obligatoires
Merci ! Votre message a bien été envoyé !
Oups ! Une erreur est survenue, veuillez réessayer.
Mentions Légales
Site Riskintel 2025 - Réalisé par ICONOKOM