Its an exploit that hasnt been publically disclosed.

Software can have “vulnerabilities”, which are bugs in them that we can use to develop an “exploit”, which is an application that takes advantage of the vulnerability in such a way to let us compromise the system.

If a vuln is publically known, the devloper can patch it so that the program isnt vulnerable anymore. If my exploit payload is publically known, you can analyze how it works and write rulesets for things like antivirus or IDS systems to detect and mitigate it.

If its not publically known, youve had no time to prepare your systems for my attack, and so youll be defenseless. Im attacking you on “day 0” of this vuln being publically disclosed…because my attack *is* the disclosure.