What type of attack takes advantage of vulnerabilities that are not yet known and therefore lack patches?

Zero-day attacks are malicious exploits that target vulnerabilities in software or hardware that are not yet known to the vendor or developer. Because these vulnerabilities are not yet recognized, no patches or fixes are available at the time of the attack, leaving systems exposed and susceptible to exploitation. This makes zero-day attacks particularly dangerous, as they can be used to compromise systems before any defenses can be implemented.

In contrast, other types of attacks, such as SQL injection or directory traversal, involve known vulnerabilities that have been documented and typically have established mitigation strategies and patches. Therefore, they do not capture the essence of exploiting unknown vulnerabilities; that is the defining characteristic of zero-day attacks.