What does 'zero-day' vulnerability mean?

The term 'zero-day' vulnerability refers to a security flaw that is unknown to the vendor at the time of its discovery. This means that there has been no patch or fix provided by the software developer to address the vulnerability, leaving the software susceptible to exploitation by attackers. Because the vendor is unaware of the flaw, there is effectively "zero days" of notice for the vendor to take action and protect their users. This lack of vendor knowledge can lead to a critical risk, as attackers may exploit the vulnerability before a patch or mitigation strategy is implemented.

The other options do not accurately describe a zero-day vulnerability; a patched flaw indicates that the vendor is aware and has responded, a vulnerability discovered by security researchers doesn’t necessarily imply it’s a zero-day unless the vendor is unaware, and a common weakness suggests known vulnerabilities which have likely been documented and addressed, rather than being completely unknown.