Zero-Day Exploitscritical

Stuxnet's Four Zero-Days: The Most Expensive Zero-Day Stockpile Ever Deployed

Stuxnet used four simultaneous Windows zero-day vulnerabilities — an unprecedented investment — to ensure it could spread through air-gapped networks to reach its target: Iranian uranium enrichment centrifuges.

Microsoft Windows / Iran·2010·2 min read

Background

Zero-day vulnerabilities are valuable because they work until patched. Nations and criminal groups typically use them sparingly to preserve their value. Stuxnet's deployment of four simultaneous Windows zero-days was unprecedented and demonstrated extraordinary resource investment — each zero-day in a high-value target like Windows is worth millions on the market.

The Attack

Stuxnet's four zero-days served different functions in its spread: CVE-2010-2568 (Windows Shell LNK shortcut vulnerability — spreads via USB drives), CVE-2010-2772 (Windows Task Scheduler privilege escalation), CVE-2010-2729 (Windows Print Spooler remote code execution — spreads via network printers), CVE-2010-2568 (Windows Server Service vulnerability). Together, they allowed Stuxnet to spread via USB, printers, and network shares, escalate privileges, and install itself — all without requiring any user action beyond inserting an infected USB drive. The combination ensured the worm could traverse multiple air-gap-crossing vectors.

Response

Microsoft patched all four zero-days between July and October 2010 as each was discovered. The LNK shortcut vulnerability was particularly significant — it affected all Windows versions and was used independently by other malware for years afterward. The simultaneous use of four zero-days confirmed to the security community that only a nation-state could afford such an operation.

Outcome

The four zero-days in Stuxnet established the "zero-day budget" as a proxy for nation-state capability. Governments began formally discussing the Vulnerabilities Equities Process — the decision about whether to disclose discovered vulnerabilities to vendors or retain them for offensive use.

Key Takeaways

  1. Organisations with genuinely air-gapped systems must control USB device usage and physically inspect media
  2. The number of zero-days an attacker is willing to spend indicates the value of the target — be aware of your strategic importance
  3. LNK files from untrusted sources should never be executed — the Stuxnet LNK vulnerability was exploited for years after patching
  4. Zero-day discovery and retention by intelligence agencies creates risks when those tools are stolen or leaked
Stuxnetfour zero-daysLNK exploitair-gapWindows

More in Zero-Day Exploits

2021critical

Log4Shell: A Single Java Library Puts 3 Billion Devices at Risk

2 min readZero-Day Exploits
2023critical

MOVEit Zero-Day: One SQL Injection Flaw, 2,700 Organisations Breached

2 min readZero-Day Exploits
2010critical

Operation Aurora IE Zero-Day: China Exploits Browser Flaw to Hack Google and 34 Others

2 min readZero-Day Exploits