High Impact Exchange Exploit Dominates Day Two
Pwn2Own Berlin 2026 continued with a second day of high profile security demonstrations, as researchers unveiled critical zero day vulnerabilities in enterprise software, operating systems, and an AI powered coding platform. The most significant achievement came from Orange Tsai of DEVCORE, who combined three separate flaws to achieve remote code execution with SYSTEM privileges on Microsoft Exchange. This full chain attack earned the team $200,000 and 20 Master of Pwn points, making it the highest payout of the contest so far. Such an exploit is particularly dangerous because Exchange servers often form the backbone of corporate communications, providing attackers with a conduit for espionage, lateral movement, and data theft.
Operating System and AI Tool Vulnerabilities
Operating system weaknesses also drew attention on day two. A researcher successfully exploited an integer overflow bug in Windows 11 to gain elevated privileges, earning $7,500. On the Linux front, a use after free flaw in Red Hat Enterprise Linux allowed another team to escalate privileges, highlighting persistent memory safety challenges in core systems. AI and developer focused tools emerged as significant targets this year. The Cursor IDE was exploited twice by different teams, confirming multiple vulnerabilities in the popular coding assistant. Security researchers are also increasingly focusing on endpoint security products, with flaws exposed in Avast, Kaspersky, and Bitdefender antivirus suites, as well as the VMware ESXi hypervisor. Day two added $385,750 in rewards for 15 new zero day vulnerabilities, bringing the two day total to $908,750 and 39 unique bugs discovered.
Source: Cyber Security News
