Zero day vulnerabilities continue to represent one of the most difficult challenges in cybersecurity operations. Their very nature disrupts traditional vulnerability management workflows as they go undetected, with no known exploit to track, no patch to prioritize or a signal of use until it’s too late.
Zero day exploits create a blind spot for threat intelligence teams which can be abused by threat actors trading vulnerabilities on various dark web forums and marketplaces. This forces intelligence teams to take a proactive approach and closely monitor chatter in order to identify rising threats and to stay ahead of adversaries.
When it comes to zero days, where the element of surprise already plays a key factor in their effectiveness, tracking early signs and mentions is the key to staying ahead.
One of the biggest uses of a zero-day vulnerability in the past year was the MOVEit file transfer service exploit. In 2023, attackers exploited an unknown software vulnerability which granted access to the data of over 2,700 organizations using MOVEit in their supply chain, including government entities and large corporations.
This led to almost 100 million individuals having their credentials stolen and sold across the dark web. The breach cost the companies billions of dollars in remediation and lawsuits, as well as severe reputational damage.
A screenshot from Lunar, our dark web monitoring platform, showing the publication of leaked credentials stolen due to the MOVEit exploitation.
When understanding the dire consequences of a zero-day exploitation, it is obvious that serious actions must be taken to monitor and detect zero-days in the most convenient and quickest way possible. Using Lunar, our dark web monitoring tool, you can use several smart, filtered searches to get the most relevant results regarding your technologies or actors of interest in order to mitigate any threat and prioritize the most urgent patches to your system.
By using a variety of keywords to target your designated systems, you can easily monitor any mentions of zero-day vulnerabilities regarding your infrastructure and mitigate the risk before it is too late.
For example, on March 4th, 2025, three zero-day vulnerabilities were disclosed on the popular dark web forum Exploit, affecting several VMware products. These vulnerabilities, known today as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, were confirmed to be exploited by actors to gain administrative control over the systems and potentially gain full control of the server, affecting over 35 thousand servers.
When querying for the product on Lunar, we found a post on Exploit from the 24th of February, 2025, more than a week prior to the disclosure, discussing the offer of a zero-day exploit allowing an “escape from guest to host”.
This exploit post discusses the VMware vulnerability.
For broader search and monitoring, you can query based on specific sites or sections related to the trade of zero-day vulnerabilities. Many websites, such as XSS, RAMP and Exploit, have dedicated sections to the selling and buying of software exploits and vulnerabilities. Furthermore, there are dark web forums, such as 0day.today, specifically dedicated to the trade of these exploits.
By querying for specific sections, websites and threads, you can get a general overview of the landscape and the discussion around the potential vulnerabilities and detect risks and their severity.
A screenshot from Lunar displaying the distribution of content from each website and the amount of posts over time.
Simply monitoring for threats is not enough, you must use it to prioritize threat mitigation. When a zero-day is actively discussed on the dark web, it is a clear sign of an immediate threat.
By tracking such discussions across various forums, marketplaces, and Telegram channels, you can identify in real time which vulnerabilities are being weaponized by threat actors. This allows you to prioritize patching based on actual risk of exploitation.
Monitoring the dark web offers security teams valuable insight into technical threat details and, at times, access to proof‑of‑concept code. This intelligence enables them to prepare effective defenses and mitigate risks before an attack can be successfully carried out.
While manual research and monitoring remain essential, staying one step ahead is critical. With Lunar’s alert feature, you can schedule targeted queries at defined intervals and receive precise, real‑time notifications with minimal false positives. This proactive approach enables earlier threat detection and timely risk mitigation—before adversaries can exploit vulnerabilities against your organization.
A Lunar alert set up for zero-day mentions for a desired system
Zero-day vulnerabilities have always been an unpredictable threat in cybersecurity. By monitoring the various dark web forums and marketplaces using Lunar’s various features, your security team can have a much needed edge in detecting, prioritizing, patching and mitigating potential exploitations.
From targeted queries around specific technologies or domains to automated alerts and event tracking, proactive dark web intelligence transforms threat monitoring into a powerful strategy for reducing exposure and preventing attacks.
To learn more about how Lunar can help you, talk to one of our cyber experts today.
XSS is considered one of the top Russian speaking forums on the dark web, acting as a hub for the sale of stolen data, exploit and zero days, and malware and ransomware services. Earlier this month, the open web domain of the site was seized after years of investigation, as authorities arrested the suspected administrator […]
Credential compromise is behind more breaches than many security teams realize. The reason? It doesn’t involve malware or exploit code. It works through something far simpler: a valid login that gives access and looks normal to the system. Of necessity, security teams stay busy with the threats they can see. They patch systems, stop phishing […]
Exposed credentials act as a launchpad for cyberattacks. Learn how proactive credential monitoring can help minimize exploitation by cybercriminals.
Uncover dark web threats with Lunar, the next gen dark web intel platform
