There are basically 2 ways that someone(s) can get unauthorized access to a system or network -- get a would-be victim to do something that grants them access, lets them in, or by exploiting a software vulnerability or weakness.
The 1st method is the most common, scamming users to give up their passwords, to run malware attached to emails, to download & run malicious software, to visit a malicious web site, or to visit a site that's been compromised or features malvertising & so on.
The second relies on exploiting vulnerabilities to get around security features &/or measures. Vulnerabilities are present when the system &/or network is set up improperly, &/or when security-related hot fixes or patches aren't applied. One security company reported that about 3/4 of the systems that were compromised had not had security patches applied. That makes sense -- most often when a security-related patch is released, it's accompanied by documentation of the vulnerability that's been fixed, often along with proof-of-concept code, and together they make a nice tutorial for cybercriminals. [It's also why software companies are so fond of automatic updates, vs. relying on users to check for & apply them.]
But there's another category of vulnerabilities, those that hardly anyone knows about, and consequently there aren't any patches available. These are so-called Zero Days, and they're more often used by more elite cybercriminals & spies, often working for a nation/state, often only for highly targeted systems &/or networks. There are companies & government agencies that work on developing these cyber weapons [the recent Wikileaks release says there are thousands of people working on Zero Days & related for the CIA], and pragmatically, arms dealers too.
Their very nature means that getting your hands on a collection of Zero Days is both difficult & expensive, though there have been a couple of publicized leaks from US intelligence agencies... One involved an archive of NSA tools that a group calling themselves Shadow Brokers tried to sell. The 2nd involves the recent Wikileaks release, where early reports say this very large trove of info [& computer code] was circulating among a group of ex US gov workers, one of whom passed a portion of it to Wikileaks.
Whether either of those was involved or not, people at Rand managed to get their hands on a couple hundred Zero Days, which they analyzed. They also talked to several experts, Zero Day developers, brokers etc., and did a statistical analysis to provide some insight into the current Zero Day market [for lack of a better word]. The main highlights are interesting on their own, though if you want to take a deeper dive there's a PDF available for download that contains the book they published.
If nothing else, at a time where the public is debating how much access governments should have, when privacy advocates are pushing back hard, and when there's a discussion regarding how many of these Zero Days government agencies should report to better protect their citizens & industries, reading just the highlights might provide some useful context.
rand[.]org/pubs/research_reports/RR1751.html
Zero Days, Thousands of Nights
The Life and Times of Zero-Day Vulnerabilities and Their Exploits