 |
| Pwn2Own Berlin 2026 paid out over $908,000 across 39 zero-days in two days, with Microsoft Exchange and Windows 11 among the most notable targets. |
Berlin, Germany – The 19th edition of Pwn2Own is wrapping up today at the OffensiveCon conference, and the numbers are nothing short of staggering. Over two confirmed days of elite exploitation, security researchers have collected more than $908,000 in prize money after demonstrating 39 unique zero-day vulnerabilities across a who’s‑who of enterprise and consumer software – including Windows 11, Microsoft Exchange, Microsoft Edge, Red Hat Enterprise Linux, NVIDIA infrastructure, and a growing list of AI platforms. With Day 3 results still to be announced, the final tally could easily break the million‑dollar mark.
The event, run by the Zero Day Initiative, has become the Super Bowl of offensive security research. This year’s Berlin edition, held alongside OffensiveCon, saw a level of creativity and firepower that even veteran organizers called “unprecedented.”
Day 1 – Edge Falls, Windows 11 Hacked Three Times
The opening day paid out 175,000 for a single demonstration – the highest single payout of Day 1.
Windows 11 didn’t fare much better. Three independent researchers each took home 70,000 across two separate exploits – one targeting the NVIDIA Container Toolkit and another aimed at Red Hat Enterprise Linux.
But the real story of Day 1 was the AI category. In a sign of the times, researchers toppled a whole stack of machine‑learning platforms, including:
- LiteLLM
- OpenAI Codex
- NVIDIA Megatron Bridge
- Chroma (the vector database)
- LM Studio
Not a single AI tool survived the first day unscathed. “Attackers are already pivoting to AI infrastructure,” said one attending researcher. “Pwn2Own just proved how easy it still is.”
Day 2 – Microsoft Exchange Compromised for $200,000
If Day 1 was impressive, Day 2 was historic. The second day paid out $385,750 across 15 zero‑days, but one exploit towered above the rest.
Orange Tsai returned to the stage – and this time, he wasn’t playing around. Chaining three bugs together, Tsai achieved remote code execution with SYSTEM privileges on a fully patched Microsoft Exchange Server. The exploit earned him a whopping $200,000, making it the single highest‑earning demonstration of the entire competition so far.
“Seeing an Exchange chain of that quality in 2026 is rare,” said Dustin Childs of the Zero Day Initiative. “Most researchers have moved on, but Orange Tsai proved that deep logic bugs still lurk in even the most hardened enterprise software.”
Windows 11 was hacked again on Day 2 – the fourth successful privilege‑escalation attack against Microsoft’s OS over the two days. The Cursor AI coding agent also fell, and OpenAI Codex was targeted for a second time by a different researcher, highlighting just how attractive AI attack surfaces have become.
By the end of Day 2, the total stood at 39 zero‑days and $908,750. With Day 3 still in progress (and rumors of at least one more VMware or Linux kernel exploit in the pipeline), the final numbers are almost certain to climb higher.
Capacity Packed – 150 Researchers Turned Away
For the first time in Pwn2Own’s 19‑year history, the event hit maximum capacity. Over 150 researchers were turned away due to strict scheduling limits – a testament to the booming interest in offensive security and live bug‑hunting competitions.
Some of those rejected didn’t wait for next year. According to multiple sources, several researchers chose to drop their zero‑days publicly rather than hold onto them for Pwn2Own 2027. That could spell trouble for vendors who might have preferred a coordinated disclosure.
As always, all vendors now have 90 days from disclosure to patch the flaws demonstrated in Berlin. The Zero Day Initiative will publish full technical details after that window closes – or earlier if a patch is released sooner.
The Bigger Picture: AI‑Written Exploits Are Already Here
The timing of this year’s Pwn2Own is especially striking given a recent development outside the competition. Earlier this month, Notebookcheck covered Google’s confirmation of the first AI‑developed zero‑day – in which an AI model wrote and deployed a functional exploit targeting a two‑factor authentication bypass in a widely used web administration tool.
That news sent ripples through the security community. If large language models can already discover and weaponize unknown vulnerabilities without human intervention, what does that mean for future Pwn2Own events? Some organizers are already discussing an “AI‑only” category for 2027, where human teams face off against autonomous models.
For now, though, human ingenuity still reigns. As one Day 2 winner put it: “AI can find bugs. But chaining four logic bugs to escape an Edge sandbox? That still takes a human soul – and a lot of coffee.”
What’s Next?
Day 3 of Pwn2Own Berlin 2026 is ongoing at OffensiveCon. Early whispers suggest additional exploits against Microsoft SharePoint, Ubuntu Desktop, and Tesla’s infotainment system may still be in the queue. Check back for final results and a full breakdown of all 40+ zero‑days once the competition concludes.
For complete archives of every successful exploit, visit the Zero Day Initiative. For minute‑by‑minute updates from the conference floor, follow BleepingComputer’s live coverage.
– Reported from Berlin, with additional context from OffensiveCon.