The high-stakes competitive hacking arena of Pwn2Own Berlin 2026 escalated dramatically on May 15, 2026, delivering a series of critical zero-day compromises against core enterprise infrastructure, operating systems, and cutting-edge artificial intelligence environments.
Held alongside the OffensiveCon security conference, the second day of the event saw elite research teams successfully chain unknown software vulnerabilities to bypass modern defensive mitigations, demonstrating highly operationalizable threat vectors.
Following an intense opening session, the second day added an impressive $385,750 in bounties across 15 unique zero-day vulnerabilities. This surge pushed the event’s rolling cash payout to $908,750 and unearthed 39 distinct software defects in under 48 hours.
The elite Taiwanese research firm DEVCORE cemented its position at the top of the “Master of Pwn” leaderboard, driven by a catastrophic full-chain breach of Microsoft’s flagship mail architecture.
The Shell Shock: Microsoft Exchange SYSTEM Remote Code Execution
The single most significant achievement of the day belonged to world-renowned security researcher Cheng-Da “Orange Tsai” Tsai of the DEVCORE Research Team. Tsai demonstrated a masterful exploit path by chaining three separate zero-day bugs to achieve unauthenticated Remote Code Execution (RCE) on a fully patched, on-premises Microsoft Exchange Server.
Plaintext
Target: On-Premises Exchange ➔ Chain 3 Logic Zero-Days ➔ Gain Unauthenticated Access ➔ Achieve SYSTEM Privileges (Full RCE)
The flawless demonstration bypassed all modern security updates, granting the attacker the highest possible operating system clearance: SYSTEM privileges. The Trend Micro Zero Day Initiative (ZDI) awarded Tsai a massive $200,000 bounty and 20 Master of Pwn points for the single chain, making it the highest-value exploit of the competition.
An unauthenticated RCE on Microsoft Exchange represents a severe risk matrix for corporate defenders. Because Exchange servers sit at the heart of enterprise directory services and internal communication channels, a real-world attacker weaponizing this chain could:
- Silently intercept, modify, or siphon sensitive internal executive emails.
- Pivot laterally to compromise domain controllers and active directory structures.
- Deploy network-wide ransomware or establish persistent corporate espionage hooks.
Operating System Privilege Escalations: Windows 11 and Linux Rooted
Beyond network servers, local operating system kernels faced heavy damage during the Day 2 schedules.
On the Microsoft front, researcher Siyeon Wi successfully targeted Windows 11. Wi leveraged an integer overflow vulnerability to execute an arbitrary write, instantly elevating limited local user permissions into complete administrative privileges. The exploit yielded a $7,500 cash prize. While local privilege escalations (LPE) command lower bounties than network RCEs, they are vital components of modern multi-stage attack loops, transforming basic initial access into total machine control.
On the open-source side, Ben Koo of Team DDOS turned his attention to enterprise Linux architecture. Koo weaponized a tricky use-after-free (UAF) memory corruption flaw within Red Hat Enterprise Linux (RHEL) for Workstations, successfully routing the kernel to gain root access and taking home a $10,000 prize. The exploit highlights how legacy memory-safety problems continue to haunt core Unix-like operating system kernels.
The Emerging Surface: AI and Developer Tools Under Active Siege
A major architectural shift for Pwn2Own Berlin 2026 was the dedicated focus on LLM platforms, local inference engines, and developer tools. Day 2 confirmed that AI-assisted workflows possess a highly volatile, unhardened attack surface:
- Cursor AI Editor: The popular developer IDE was shattered twice by different entities. Le Duc Anh Vu of Viettel Cyber Security pocketed $30,000 for a full compromise, while the research team at Compass Security hit the platform in a later round, securing $15,000 for a distinct exploit loop.
- OpenAI Codex: The Summoning Team (led by researcher Sina Kheirkhah) demonstrated a novel exploit chain against OpenAI Codex, successfully exfiltrating developer telemetry data and capturing a $20,000 reward.
- LM Studio: Security researchers from OtterSec achieved a full code-injection exploit against the local LLM deployment engine, walking away with $20,000 after forcing the system to execute untrusted system commands.
These findings show that because AI programming assistants hold extensive permissions to read source code, execute automated build scripts, and interact with production file directories, they are fast becoming high-value targets for corporate supply chain intrusion groups.
Failed Exploits and Overlapping Research
The competition also highlighted the increasing robustness of modern software sandboxes. Highly anticipated attempts targeting Apple Safari (Renderer Only) by Palo Alto Networks and Microsoft SharePoint by Rapid7’s Stephen Fewer ran out of clock and failed on stage, proving that reliable modern exploitation remains incredibly complex even for world-class researchers.
Additionally, several rounds resulted in “collision” outcomes. For example, Sina Kheirkhah’s attempt against Anthropic’s Claude Desktop used a valid security flaw that was already known to the ZDI vendor ecosystem. These collisions underscore overlapping independent research efforts across global threat intelligence operations.
As the final day looms, vendors like Microsoft, Red Hat, and the various AI platforms are racing against a ticking 90-day disclosure clock to engineer and deploy official security patches before these devastating zero-day chains are reverse-engineered and weaponized in the wild.
