U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Pwn2Own Berlin 2026, Day Two: $385,750 more, Microsoft Exchange falls, and the running total crosses $900K

Day two of Pwn2Own Berlin 2026 saw $385,750 earned for 15 zero-days, bringing the total to $908,750 and 39 vulnerabilities over two days. During the second day of Pwn2Own Berlin 2026, security researchers earned $385,750 after successfully demonstrating 15 unique zero-day vulnerabilities affecting products such as Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux […]

Pwn2Own Berlin 2026

Day two of Pwn2Own Berlin 2026 saw $385,750 earned for 15 zero-days, bringing the total to $908,750 and 39 vulnerabilities over two days.

During the second day of Pwn2Own Berlin 2026, security researchers earned $385,750 after successfully demonstrating 15 unique zero-day vulnerabilities affecting products such as Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux for Workstations. Combined with the first day of the competition, total rewards have reached $908,750 for 39 unique vulnerabilities discovered across two days, with another day of hacking still remaining.

Going into day two, DEVCORE held a commanding lead built almost entirely on Orange Tsai’s four-logic-bug Edge sandbox escape from the previous day.

Microsoft Exchange and Windows 11 were successfully exploited during the second day of Pwn2Own Berlin 2026. Researcher Siyeon Wi demonstrated a Windows 11 privilege escalation flaw caused by an integer overflow bug, earning $7,500. Multiple successful attacks against fully patched Windows 11 systems across two days highlighted the presence of serious real-world vulnerabilities in widely used software.

Ben Koo of Team DDOS had a clean win on Red Hat Enterprise Linux for Workstations, leveraging a use-after-free bug to escalate privileges and earning $10,000.

AI-focused attacks continued during Pwn2Own Berlin 2026 as researcher Byung Young Yi targeted LiteLLM. His exploit matched a vulnerability already demonstrated earlier in the competition, resulting in a collision rather than a new zero-day. He still earned $17,750 and partial Master of Pwn points, highlighting the intense scrutiny researchers placed on LiteLLM throughout the event.

Le Duc Anh Vu of Viettel Cyber Security successfully exploited Cursor, earning $30,000 and 3 Master of Pwn points in a full Pwn2Own win.

Compass Security successfully exploited the AI-powered code editor Cursor during Pwn2Own Berlin 2026, earning $15,000. The attack, alongside earlier exploits targeting OpenAI Codex, highlights growing security risks across AI-assisted developer tools and infrastructure.

Some exploits failed at Pwn2Own Berlin 2026, including Safari and SharePoint attempts that did not work within the time limit. Researchers still showed strong effort, but live conditions and strict timing made reliable exploitation difficult even for well-prepared teams targeting fully patched systems.

DEVCORE leads Pwn2Own Berlin 2026 with 40.5 points and $405,000, but the competition is still open with one day remaining and high-value targets like Firefox and AI systems still ahead. A single successful exploit could change the rankings.

Across two days, researchers demonstrated 39 unique zero-days across widely used software, including operating systems, AI tools, and enterprise platforms, all running fully patched versions. The results highlight how skilled attackers can still find weaknesses even in mature systems. Vendors now have 90 days to patch the vulnerabilities disclosed during the event, turning live exploitation into coordinated disclosure instead of real-world attacks.

Pwn2Own Berlin 2026 day one saw 22 entries and 24 zero-days across major software, with researchers earning $523,000 in total rewards.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Pwn2Own Berlin 2026)