The Evolving Landscape of Zero-Day Vulnerabilities: Lessons from Microsoft's ZeroDay Quest

In November 2025, V-Spot's security research team participated in Microsoft's ZeroDay Quest — a global competition challenging the world's best vulnerability researchers to identify critical security flaws across Microsoft's product ecosystem. Our team ranked 6th globally, identifying multiple critical vulnerabilities in cloud services and developer tools. This experience, combined with our ongoing vulnerability research programme, provides the foundation for this report on the evolving landscape of zero-day vulnerabilities.

The State of Zero-Day Research in 2026

The zero-day landscape is characterised by three defining trends. First, the sheer volume of disclosed zero-day vulnerabilities continues to increase — Google's Threat Analysis Group tracked 97 zero-days exploited in the wild in 2025, up from 62 in 2023. Second, the sophistication of exploitation techniques has grown substantially, with attackers increasingly chaining multiple lower-severity vulnerabilities to achieve high-impact outcomes. Third, the time between vulnerability discovery and active exploitation has compressed dramatically, with some vulnerabilities being weaponised within hours of public disclosure.

Vulnerability Discovery Methodology

Our approach to vulnerability research combines manual code review, automated analysis, and adversarial testing. For the ZeroDay Quest, we focused on three primary areas.

Cloud Service Attack Surfaces

Microsoft's cloud services present an enormous and continuously evolving attack surface. Our team focused on areas where cloud services interact with customer-controlled inputs — authentication flows, API gateways, and resource provisioning endpoints. We identified several critical vulnerabilities in how these services handled malformed authentication tokens and edge cases in multi-tenant isolation boundaries.

Developer Toolchain Security

Developer tools represent an increasingly important attack vector, as compromising the development pipeline enables supply chain attacks with potentially massive downstream impact. We examined Visual Studio extensions, package management systems, and CI/CD integration points, identifying vulnerabilities that could allow malicious code execution during the build process.

AI Integration Points

As Microsoft integrates AI capabilities across its product portfolio, new attack surfaces emerge at the boundary between AI models and traditional software systems. We identified several vulnerabilities related to prompt injection in AI-augmented features and insufficient validation of AI-generated outputs before they were used in security-sensitive contexts.

Taxonomy of Modern Exploitation Techniques

Based on our analysis of over 200 vulnerability disclosures from the past eighteen months, we propose the following taxonomy of modern exploitation techniques.

Type Confusion and Object Lifecycle

Type confusion vulnerabilities remain highly impactful, particularly in complex object-oriented systems. Modern exploitation of these vulnerabilities increasingly relies on precise manipulation of object lifecycle events — constructors, destructors, and garbage collection callbacks — to achieve reliable control flow hijacking. We observed 34 distinct instances of this technique in our dataset.

Authentication Logic Bypasses

The complexity of modern authentication systems — with their support for multiple factors, federated identity, conditional access policies, and session management — creates numerous opportunities for logic-level bypasses. Unlike memory corruption vulnerabilities, these flaws cannot be mitigated through memory safety improvements and require rigorous formal verification of authentication state machines.

Cross-Boundary Data Flow

Many modern vulnerabilities exploit the boundaries between different trust domains within a single application — for example, the boundary between user-supplied data and system-generated data, or the boundary between authenticated and unauthenticated contexts. Insufficient tracking of data provenance across these boundaries enables injection attacks, privilege escalation, and information disclosure.

The Responsible Disclosure Ecosystem

The ZeroDay Quest highlighted both the strengths and limitations of current responsible disclosure frameworks. Microsoft's programme is among the most mature in the industry, with clear communication channels, reasonable timeline expectations, and meaningful financial incentives. However, several challenges persist across the industry.

Disclosure timeline pressure. Researchers face a tension between allowing vendors adequate time to develop and distribute patches and the risk that other actors may independently discover and exploit the same vulnerability. The industry-standard 90-day disclosure window, while reasonable for isolated vulnerabilities, may be insufficient for complex multi-component vulnerabilities that require coordinated patches across multiple products.

Incomplete patches. Our analysis found that approximately 18% of initial vendor patches for reported vulnerabilities were incomplete — either failing to address all exploit paths or introducing new vulnerabilities in the remediation code. This underscores the need for researchers to verify patches and for vendors to invest in more rigorous patch testing.

Incentive misalignment. While bug bounty programmes have improved dramatically, the financial incentives for responsible disclosure still lag significantly behind those available through vulnerability brokers and grey-market transactions. Addressing this gap requires both increased bounty payments and non-financial incentives such as public recognition and access to pre-release software for security testing.

The Role of AI in Vulnerability Research

AI-augmented vulnerability research is no longer speculative — it is actively shaping the field. During the ZeroDay Quest, several participating teams (including ours) employed LLM-assisted code analysis to identify candidate vulnerabilities for deeper manual investigation. The efficiency gains were substantial: AI-assisted triage reduced the time required to assess a potential vulnerability from hours to minutes in many cases.

However, AI assistance also introduces new challenges. The risk of false positives from AI-generated findings requires significant human expertise to manage. More fundamentally, as AI tools become standard in vulnerability research, we can expect the discovery rate for certain vulnerability classes to increase dramatically, potentially overwhelming vendor patch capacity.

Recommendations

Based on our findings, we offer the following recommendations for organisations managing significant attack surfaces.

1. Invest in proactive vulnerability research. Waiting for external researchers or adversaries to find your vulnerabilities is an increasingly untenable strategy. Internal red team capabilities should be augmented with AI-assisted vulnerability discovery tools.

2. Implement defence in depth against zero-day exploitation. Network segmentation, behaviour-based detection, and robust incident response capabilities are essential given the shrinking window between vulnerability disclosure and exploitation.

3. Participate in the responsible disclosure ecosystem. Both as reporters and as recipients of vulnerability reports, organisations benefit from active participation in the responsible disclosure ecosystem. This includes maintaining a published vulnerability disclosure policy, responding promptly to reports, and providing meaningful recognition to researchers.

4. Prepare for AI-accelerated vulnerability discovery. The rate of vulnerability discovery will continue to increase as AI tools mature. Organisations must develop the capacity to assess, prioritise, and remediate vulnerabilities at a pace that matches the accelerating discovery rate.

Conclusion

The zero-day landscape is evolving rapidly, driven by increasing software complexity, the democratisation of exploitation tools, and the integration of AI into both offensive and defensive security research. The lessons from Microsoft's ZeroDay Quest reinforce a fundamental truth: proactive, research-driven security is the most effective defence against the zero-day threats of tomorrow. V-Spot remains committed to advancing this frontier through continued research, responsible disclosure, and the development of tools that make proactive security accessible to organisations of all sizes.