Often, companies will disclose application vulnerabilities along with the patches used to fix those vulnerabilities. A zero-day flaw is a vulnerability without an existing patch. Zero-day attacks use flaws not known to most people. Patches don’t exist likely because the maintainers of the software don’t know the vulnerability even existed. These vulnerabilities are traded on the darkweb for use by malicious actors.