The Pwn2Own Berlin 2026 hacking contest has concluded, with security researchers collecting $1,298,250 in rewards after exploiting 47 zero-day flaws.
The competition took place at the OffensiveCon conference from May 14 to May 16 and focused on enterprise technologies and artificial intelligence.
Throughout the contest, the hackers targeted fully patched products across web browsers, enterprise applications, local privilege escalation, servers, local inference, cloud-native/container environments, virtualization, and LLM categories.
Competitors collected $523,000 in cash awards on the first day for 24 unique zero-days, and another $385,750 on the second day for exploiting 15 zero-days. On the third day of Pwn2Own, they earned another $389,500 for eight more zero-days.
DEVCORE won this year’s edition of Pwn2Own Berlin with 50.5 Master of Pwn points and $505,000 in rewards throughout the three-day contest after hacking Microsoft SharePoint, Microsoft Exchange, Microsoft Edge, and Windows 11, followed by STARLabs SG with $242,500 (25 points) and Out Of Bounds with $95,750 (12.75 points).
The competition’s highest reward was $200,000, awarded to Cheng-Da Tsai (also known as Orange Tsai) of the DEVCORE Research Team after chaining three bugs to gain remote code execution with SYSTEM privileges on Microsoft Exchange.
On the first day, Orange Tsai earned another $175,000 for a Microsoft Edge sandbox escape chaining 4 logic bugs, Windows 11 was hacked 3 times, and Valentina Palmiotti (chompie) of IBM X-Force Offensive Research collected $70,000 for rooting Red Hat Linux for Workstations and an NVIDIA Container Toolkit zero-day.
On the second day, the hackers demonstrated another Windows 11 local privilege escalation vulnerability, a root-privilege escalation vulnerability in Red Hat Enterprise Linux for Workstations, and zero-days in multiple AI coding agents.
On the third and final day of the contest, the competitors hacked Windows 11 and Red Hat Enterprise Linux for Workstations again, and used a memory corruption bug to exploit VMware ESXi.
After Pwn2Own ends, vendors have 90 days to release security patches before TrendMicro’s Zero Day Initiative (ZDI) publicly discloses them.
During last year’s Pwn2Own Berlin contest, won by the STAR Labs SG team, ZDI awarded 1,078,750 for 29 zero-day flaws and some bug collisions.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
You must be logged in to post a comment Login