Pwn2Own Berlin 2026 Uncovers 47 Zero-Day Vulnerabilities as Hackers Earn $1.29 Million

Security researchers exposed critical flaws across Microsoft, VMware, AI tools, and enterprise platforms during one of the world’s most important ethical hacking competitions.

Major Security Gaps Found in Enterprise Systems

Pwn2Own Berlin 2026 once again showed why enterprise cybersecurity needs constant attention. During the three-day hacking event held at OffensiveCon from May 14 to May 16, security researchers found and exploited 47 zero-day vulnerabilities. They earned a total of $1,298,250 in rewards.

This year, the contest focused on enterprise systems and artificial intelligence. Researchers tested fully patched products across web browsers, Microsoft Exchange, Microsoft SharePoint, Windows 11, VMware ESXi, Red Hat Enterprise Linux, container platforms, cloud-native systems, and AI coding tools.

These results prove that even updated systems can still contain serious security risks.

Hackers Earn Big Rewards for Critical Exploits

On the first day, participants earned $523,000 by finding 24 unique zero-day flaws. On the second day, they collected another $385,750 for 15 more vulnerabilities. The final day added $389,500 for eight more successful attacks.

DEVCORE became the top winner of the event. The team earned 50.5 Master of Pwn points and took home $505,000 in rewards. They successfully hacked Microsoft SharePoint, Microsoft Exchange, Microsoft Edge, and Windows 11.

Researcher Cheng-Da Tsai, also known as Orange Tsai, received the highest single reward of the contest. He earned $200,000 after chaining three bugs to achieve remote code execution with SYSTEM privileges on Microsoft Exchange.

He also earned another $175,000 for a Microsoft Edge sandbox escape using four logic flaws.

Windows, Linux, VMware, and AI Tools Targeted

Other researchers also showed successful attacks against Windows 11 and Red Hat Enterprise Linux. They discovered local privilege escalation flaws that could help attackers gain higher system access.

VMware ESXi was also hacked using a memory corruption bug. In addition, NVIDIA Container Toolkit was successfully compromised during the competition.

One of the biggest highlights this year was the focus on AI security. Multiple AI coding agents were exploited, showing that artificial intelligence tools are becoming valuable targets for cybercriminals.

As more businesses adopt AI platforms, security teams must protect them just like traditional enterprise systems.

Why This Matters for CISOs and Security Teams

After the contest ends, affected vendors get 90 days to release security patches. After that, Trend Micro’s Zero Day Initiative will publicly disclose the vulnerabilities.

This creates a critical window for organizations. Security teams must track vendor advisories and apply updates quickly.

Pwn2Own is not just a hacking contest. It gives defenders an early warning about future cyber threats. For CISOs, it is a strong reminder that patch management, threat intelligence, and attack surface monitoring remain essential.

As cyber risks continue to grow, ethical hacking events like Pwn2Own help organizations prepare for what comes next.