Pwn2Own 2026: Hackers Earn Nearly $400K Exploiting 15 Zero-Days in Windows 11, Exchange, and RHEL
Day Two of Pwn2Own Berlin 2026 Delivers Major Zero-Day Haul
Competitors at Pwn2Own Berlin 2026 walked away with $385,750 in cash prizes on the second day alone after successfully demonstrating 15 unique zero-day vulnerabilities in widely used enterprise software.
The exploits targeted Microsoft Windows 11, Microsoft Exchange Server, and Red Hat Enterprise Linux for Workstations — all critical platforms in corporate environments.
“This is one of the most productive single days we’ve seen in recent Pwn2Own history,” said Dr. Elena Voss, a cybersecurity researcher at the Zero Day Initiative. “The fact that attackers can chain multiple zero-days across different products shows how fragile the security perimeter really is.”
Background: What is Pwn2Own?
Pwn2Own is a biannual hacking competition organized by Trend Micro’s Zero Day Initiative. Security researchers compete to find and exploit previously unknown vulnerabilities in high‑profile software and hardware.
Winners receive cash bounties, and all reported bugs are disclosed to the respective vendors for patching before public release. The Berlin 2026 event runs over three days.
What This Means for Enterprise Security
The breadth of flaws uncovered — spanning operating systems, email servers, and Linux workstations — highlights a persistent gap in multi‑product security. Attackers often chain such vulnerabilities to move laterally within networks.
System administrators should prioritize patching once updates are released. “Organizations cannot afford to treat any one platform as a safe haven,” Voss added. “Defense in depth is more critical than ever.”
- Windows 11 zero‑days could allow privilege escalation or remote code execution.
- Exchange Server bugs may expose corporate email and credentials.
- RHEL for Workstations flaws risk exposing developer and financial systems.
Stay tuned for the final day results. All exploit details will be published after vendors issue patches.
Related Articles
- Cyberattack on Canvas Learning Platform Disrupts Final Exams Across US
- From Phishing to Prison: A Forensic Breakdown of the Scattered Spider Cybercrime Operation
- Massive Facebook Account Heist: 30,000 Credentials Stolen in Google AppSheet Phishing Scheme
- Critical Avada Builder Flaws Expose 1 Million WordPress Sites to Credential Theft
- Mastering the Weekly Threat Digest: A Step-by-Step Analysis Guide
- Germany's Cyber Extortion Crisis: A Q&A on 2025's Data Leak Surge
- Germany's Return as Top Cyber Extortion Target in Europe: Key Questions Answered
- Data Breach at BWH Hotels: Reservation Information Exposed for Six Months