The Underground Market for Zero-Day Exploits: Who’s Buying & Selling?

SWARNALI GHOSH | DATE: JANUARY 05, 2026

Introduction

A potential zero-day exploit may be thought of as a master key used by a thief if the given software flaw were conceived as an unlocked door of a car. By the year 2026, that thief has several accomplices since he is a member of an industrialised locksmith factory that produces and delivers the master key all over the globe in just hours upon locating the lock.

The stakes for the modern C-Suite have never been higher. We’ve moved past the era where unpatched vulnerabilities were merely tools for elite espionage. Today, they are the primary currency of a sophisticated shadow economy that targets the very heart of corporate infrastructure. At IronQlad, we’re seeing a fundamental shift in how these threats are bought, sold, and weaponized, forcing a total rethink of the traditional "patch and pray" defensive model.

The $7 Million Bounty: A Market in Overdrive

The commercial market for zero-days has exploded, fueled by a bidding war between nation-states and well-funded criminal syndicates. This isn't just about small-time bounties anymore; it’s a high-stakes auction where the house always wins.

According to the publicly available Crowdfense Exploit Acquisition Program, rewards for high‑end zero‑day exploit chains can reach multi‑million‑dollar levels, with full iOS zero‑click exploit chains valued up to $5 million–$7 million and Android zero‑click full chains up to $5 million in publicly known pricing lists. Some independent broker price lists have shown instances where Android exploits have at times commanded higher payouts than equivalent iOS exploits, reflecting supply and demand dynamics in specific markets.

Source: Price of zero-day exploits rises as companies harden products against hackers

As it becomes harder to find Local Privilege Escalation (LPE) flaws, the market value of those rare keys skyrockets.

While basic PII (Personally Identifiable Information) remains a cheap commodity on illicit forums often selling for less than $15 ,the real money is in the "keys to the kingdom." High-privilege corporate access, such as Domain or Cloud Admin credentials sold by Initial Access Brokers (IABs), can easily fetch tens of thousands of dollars.

From Discovery to Disaster: The Velocity of 2026

If there’s one metric that should keep a CTO up at night, it’s the "Time to Exploit." The window of opportunity for defenders has effectively collapsed.

In previous years, IT teams might have had weeks to test and roll out a patch. However, recent threat intelligence reporting shows that the window between public disclosure of vulnerabilities and their exploitation in the wild has been shrinking. For example, analyses from vulnerability exploitation trend reports indicate that average time-to-exploit metrics have decreased over time - from around 63 days in 2018–2019 to roughly 32 days in 2021–2022, with a substantial proportion of vulnerabilities exploited within weeks or even days of disclosure in more recent cycles. Automated tooling and shared exploit code contribute to this faster turnaround, compressing defenders’ remediation windows significantly.

What’s driving this hyper-speed? Two factors

AI-Powered Investigation: AI has been harnessed by cyber criminals to automatically fuzz and generate proofs of concept. This has lowered the barrier to weaponising high-value vulnerabilities, once requiring advanced knowledge, even for the middle class attackers.

The Dwell Time Paradox: While the breach happens in minutes, the "dwell time", how long an actor stays inside your network, has actually increased to months. They get in fast, then go quiet to ensure they extract maximum value.

Why Your Edge Devices Are the New Ground Zero

Attackers have largely moved on from the "low-hanging fruit" of desktops and browsers. Instead, they are climbing the enterprise tree to target the infrastructure itself.

According to Google Threat Intelligence Group (GTIG) reporting, in 2024, 44 % of zero‑day vulnerabilities exploited in the wild affected enterprise technologies, up from about 37 % in 2023, highlighting a growing focus on enterprise and security products. We are seeing a relentless focus on edge devices: VPNs, firewalls, and routers.

These networking appliances are the "perfect" targets for three reasons:

1. They often lack standard monitoring tools like Endpoint Detection and Response (EDR).

2. They run with high-level system permissions.

3. They serve as the ultimate stealthy foothold for lateral movement.

Names like Ivanti, Palo Alto Networks, and Cisco are frequently at the top of the target list. For our clients at IronQlad, we emphasise that securing the perimeter is no longer about a wall; it’s about monitoring the gate itself for every second of the day.

The Commercial Spyware Factor

We also have to talk about the "middlemen": Commercial Surveillance Vendors (CSVs). These are private companies, like the NSO Group or Intellexa Consortium, that develop turnkey spyware solutions.

Google’s Threat Analysis Group reported that commercial spyware vendors were behind approximately 75 % of known zero‑day exploits targeting Google products and the Android ecosystem in tracked datasets, illustrating the prominence of these entities in zero‑day exploitation activity.

Even more concerning is the investment gap. Despite tough talk from policymakers, 2024 saw an increase in US-based investors funding these spyware entities. This creates a dangerous disparity between government enforcement and the actual flow of capital into the exploit market.

Beyond Patching: The Proactive Containment Model

Here’s the hard truth: a security model based solely on periodic patching is mathematically certain to fail against a 2026 adversary. If your defence relies on being faster than an AI-automated exploit factory, you’ve already lost the race.

So, how do we fight back? At IronQlad, we advocate for a proactive containment model rooted in Zero Trust. It’s about assuming the breach has already happened or will happen within the next five days.

Strict Least Privilege: If a zero-day hits a user's machine, that exploit should die there. Robust network segmentation ensures the "master key" can’t open every door in the building.

Behavioural Detection: Since attackers are using legitimate-looking credentials, we have to look for anomalous movement rather than just known signatures.

Continuous Security Practices: The "patch Tuesday" mentality is dead. Security must be an always-on, continuous practice integrated into the fabric of your business intelligence and cloud computing strategy.

The global community is starting to take notice. The global community is starting to take notice. In April 2025, at the Pall Mall Process Code of Practice for States conference organized by France and the United Kingdom, a voluntary set of guidelines for responsible state behaviour on commercial cyber intrusion capabilities was adopted with initial backing from about 25 states and organizations to tackle irresponsible use of these commercial cyber tools. The Code focuses on principles like accountability, precision, oversight and transparency to help guide responsible development, facilitation, purchase, transfer and use of such tools. It’s a start, but policy moves at the speed of bureaucracy, while exploits move at the speed of fibre optics.

What’s interesting is that while the technology changes, the solution remains human-centric. It’s about strategy, foresight, and a partner who understands that cybersecurity isn't a product you buy; it’s a posture you maintain.

KEY TAKEAWAYS

The Demand for Exploiting Central Government Resources is Rapidly Growing: The price for high-quality exploit kits for Android and iPhone operating systems has reached a price point of between $5 million & $7 million; this demand is primarily being driven by nation-state actors.

There Is No Longer A "Window of Opportunity" To Prevent Exploiting: The time between vulnerability discovery to becoming exploited has now dropped to 5 days, making traditional patching an ineffective means of protecting enterprise-class endpoints.

The New Focus For Attackers Is On Endpoints: 44% of zero-day vulnerabilities are now targeting enterprise endpoints, e.g. VPN Servers & Firewalls, which often lack EDR-style detection & prevention capabilities.

Zero Trust Has Become A Necessity: Security leaders must start to adopt an attacker containment-first strategy with the intent of focusing on how to implement behaviour-based detection mechanisms coupled with a network segmentation model.