Skip to content

Pwn2Own Berlin 2026: Microsoft Exchange and Windows 11 Hacked on Day Two

Key Points: Security researchers earn $385,750 at the Pwn2Own Berlin 2026 competition by disclosing 15 zero-day vulnerabilities in Windows 11 and Microsoft Exchange. The renowned hacking competition offers over one million dollars for successful exploits of fully patched systems.

On the second day of the Pwn2Own Berlin 2026 security competition, security researchers earn $385,750 by disclosing 15 zero-day vulnerabilities in Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux. The renowned competition offers over one million dollars for successful exploits.

During the second day of Pwn2Own Berlin 2026, security researchers demonstrated impressive hacking skills and earned a total of $385,750 by disclosing 15 unique zero-day vulnerabilities. The competition, held as part of the OffensiveCon conference from May 13–16, focuses on enterprise technologies and artificial intelligence.

All target devices run the latest operating system versions, and each successful entry requires full system compromise with arbitrary code execution. Vendors receive 90 days to patch their software and hardware after zero-days are disclosed at Pwn2Own.

The outstanding result on the second day came from Cheng-Da Tsai of the DEVCORE Research Team, who earned $200,000 by chaining three bugs to achieve remote code execution with SYSTEM privileges on Microsoft Exchange. Siyeon Wi received $78,350 for exploiting an integer overflow vulnerability to compromise Windows 11. Ben Koo of Team DDOS earned $10,220 through privilege escalation on Red Hat Enterprise Linux for Workstations.

In the AI category, Le Duc Anh Vu from Viettel Cyber Security hacked the Cursor AI Coding Agent for $22,226, while Sina Kheirkhah from Summoning Team demonstrated an OpenAI Codex vulnerability for $22,210. Compass Security received $75,032.50 for exploiting Cursor.

On the first day, Orange Tsai additionally earned $26,000 by chaining four logic bugs to bypass the Microsoft Edge sandbox. The third day targets Windows 11, VMware ESXi, Red Hat Enterprise Linux, Microsoft SharePoint, and various AI coding agents.

Share on: