The article does say that it became widely known only the day before the attack.
Day zero starts counting from the time where either the developers/maintainers of the system or the general public are informed about the vulnerability. If the vulnerability has been discussed in some private forums or exploited by a NSA for many years, it doesn't matter, it's still day zero until it goes public (or privately disclosed to, in this case, maintainers of PHP). And as the attack was something like ~24 hours after disclosure, it's close enough to call it a zero-day attack.
Day zero starts counting from the time where either the developers/maintainers of the system or the general public are informed about the vulnerability. If the vulnerability has been discussed in some private forums or exploited by a NSA for many years, it doesn't matter, it's still day zero until it goes public (or privately disclosed to, in this case, maintainers of PHP). And as the attack was something like ~24 hours after disclosure, it's close enough to call it a zero-day attack.