In the course of the second day of Pwn2Own Berlin 2025, opponents earned $435,000 after exploiting zero-day bugs in a number of merchandise, together with Microsoft SharePoint, VMware ESXi, Oracle VirtualBox, Pink Hat Enterprise Linux, and Mozilla Firefox.
The spotlight was a profitable try from Nguyen Hoang Thach of STARLabs SG towards the VMware ESXi, which earned him $150,000 for an integer overflow exploit.
Dinh Ho Anh Khoa of Viettel Cyber Safety was awarded $100,000 for hacking Microsoft SharePoint by leveraging an exploit chain combining an auth bypass and an insecure deserialization flaw.
Palo Alto Networks’ Edouard Bochin and Tao Yan additionally demoed an out-of-bounds write zero-day in Mozilla Firefox, whereas Gerrard Tai of STAR Labs SG escalated privileges to root on Pink Hat Enterprise Linux utilizing a use-after-free bug, and Viettel Cyber Safety used one other out-of-bounds write for an Oracle VirtualBox guest-to-host escape.
Within the AI class, Wiz Analysis safety researchers used a use-after-free zero-day to take advantage of Redis and Qrious Safe chained 4 safety flaws to hack Nvidia’s Triton Inference Server.
On the primary day, opponents have been awarded $260,000 after efficiently exploiting zero-day vulnerabilities in Home windows 11, Pink Hat Linux, and Oracle VirtualBox, reaching a complete of $695,000 earned over the primary two days of the competition after demonstrating 20 distinctive 0-days.
​​​The Pwn2Own Berlin 2025 hacking competitors focuses on enterprise applied sciences, introduces an AI class for the primary time, and takes place throughout the OffensiveCon convention between Could 15 and Could 17.
Safety researchers will have the ability to earn over $1,000,000 in rewards for demonstrating zero-day bugs in absolutely patched merchandise within the AI, internet browser, virtualization, native privilege escalation, servers, enterprise purposes, cloud-native/container, and automotive classes.
Nonetheless, no Tesla makes an attempt have been registered earlier than Pwn2Own began, though two 2025 Tesla Mannequin Y and 2024 Tesla Mannequin 3 bench-top models have been additionally accessible as targets.
On the final day of the competition, the hackers will try to take advantage of zero-day bugs in Home windows 11, Oracle VirtualBox, VMware ESXi, VMware Workstation, Mozilla Firefox, in addition to Nvidia’s Triton Inference Server and Container Toolkit.
After zero-day exploits are disclosed throughout the Pwn2Own contest, distributors have 90 days to launch safety fixes for his or her software program and {hardware} merchandise earlier than Pattern Micro’s Zero Day Initiative publishes technical particulars.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and tips on how to defend towards them.
