Pwn2Own Berlin 2026 Day 2: Hackers Pocket $385,750 with 15 Zero-Day Exploits
On the second day of Pwn2Own Berlin 2026, a cybersecurity competition known for pushing the boundaries of vulnerability research, participants walked away with $385,750 in prizes. They achieved this by successfully demonstrating 15 unique zero-day exploits targeting major software, including Windows 11 and Red Hat Enterprise Linux. This article breaks down the event into key questions and detailed answers.
What Happened on Day 2 of Pwn2Own Berlin 2026?
During the second day, competitors exploited a total of 15 distinct zero-day vulnerabilities across multiple platforms. These vulnerabilities had not been previously disclosed to the vendors. The event is part of the larger Pwn2Own series, where security researchers compete to find and demonstrate real-world exploits. The day's successes highlighted weaknesses in operating systems, web browsers, and enterprise software, with participants earning a combined $385,750 in cash rewards.
How Much Money Was Awarded and to Whom?
The total prize money awarded on day two was $385,750. This sum was distributed among multiple teams and individual researchers based on the severity and complexity of their exploits. For instance, a single high-impact exploit against Windows 11 could net a team over $100,000. The exact breakdown wasn't fully disclosed, but the competition typically rewards both full chain exploits and individual bug demonstrations. The money comes from sponsors like Trend Micro's Zero Day Initiative, which organizes the event.
What Types of Zero-Day Vulnerabilities Were Exploited?
The 15 zero-day exploits covered a range of vulnerability types, including privilege escalation, remote code execution, and sandbox escapes. Many targeted the kernel of Windows 11 and Red Hat Enterprise Linux, while others focused on applications like web browsers or virtualization software. Each exploit was a previously unknown bug, meaning the vendors had no patch available at the time. The demonstrations proved that these flaws could be used to compromise systems fully, often requiring multiple steps to chain together different vulnerabilities.
Which Products Were Affected?
The affected products included Microsoft Windows 11 (various versions), Red Hat Enterprise Linux (RHEL) on both desktop and server configurations, as well as several third-party applications commonly found in enterprise environments. Specific mentions include Adobe Reader, Mozilla Firefox, and VMware Workstation. The competition focused on software that is widely used in corporate settings, emphasizing real-world risk. Each successful exploit forced the vendor to acknowledge the bug and begin working on a security update.
Who Were the Key Participants and Teams?
While individual names weren't all released, several well-known security research teams participated, including those from Chinese universities, European cybersecurity firms, and independent hackers. Team members often specialize in different areas—some focus on Windows internals, others on Linux kernels or browser security. The multi-day event encourages collaboration, but each exploit must be demonstrated live in front of judges. Notable past participants include the likes of team DEVCORE and the Pangu Team, though exact rosters for Berlin 2026 day 2 were not fully publicized.
What Is the Significance of Pwn2Own Competitions for Cybersecurity?
Pwn2Own serves multiple purposes: it incentivizes vulnerability research, gives vendors a chance to fix bugs before malicious actors exploit them, and raises public awareness about software security. The $385,750 awarded on day two is a fraction of what the competition pays overall, but the real value is in the 15 discovered zero-days. These vulnerabilities, once reported, are privately disclosed to vendors with a deadline to patch. The competition also fosters a community of ethical hackers who often collaborate with companies to improve product security.
How Does the Prize Money Compare to Previous Years?
The day two total of $385,750 is in line with recent Pwn2Own events, where daily payouts often range from $300,000 to $500,000. However, the number of exploits—15—is relatively high for a single day, indicating a bumper crop of high-quality vulnerabilities. By comparison, the entire Pwn2Own Vancouver 2025 awarded over $1 million across three days. The Berlin edition focuses specifically on enterprise and consumer software, with an emphasis on co-located exploitation of both operating system and application bugs.
What Happens After the Competition Ends?
Following the competition, all discovered zero-day vulnerabilities are reported to the affected vendors through responsible disclosure procedures. The vendors then have 90 days to develop and release patches. In some cases, the exploits demonstrated become part of public knowledge only after the fixes are available. The researchers also receive their prize money and often gain recognition and career opportunities. The event organizers publish a detailed summary of each successful exploit, including the techniques used, to educate the wider security community.
Related Articles
- Mastering Micro-Drilling: A Precision Attachment for 0.1mm Bits
- Building Durable Cyber Defenses Against AI-Powered Attacks: A Practical Guide
- ICS Compromises at Five Polish Water Facilities: Public Water Supply at Risk
- 10 Key Facts About Russia's Router Hijacking Campaign to Steal OAuth Tokens
- Fragnesia: A New Linux Kernel LPE Vulnerability in XFRM ESP-in-TCP
- AI Security Breakthrough: OpenAI Unveils Daybreak to Shift Software Defense Left
- Securing Your npm Supply Chain: A Step-by-Step Guide to Mitigating Modern Threats
- Multi-Stage Cyber Attacks: The Invisible Assassins of Modern Security