The annual Pwn2Own Berlin 2025 event kicked off with a bang as security researchers demonstrated working zero-day exploits against several enterprise platforms, earning a total of $260,000 in prizes on the first day alone.

Taking place from May 15 to May 17 during the OffensiveCon conference, this year’s event includes new categories like AI systems, in addition to traditional targets such as operating systems, enterprise apps, virtualization platforms, and containers.

Red Hat Linux Hacked First

Red Hat Enterprise Linux for Workstations was the first to fall in the local privilege escalation category. The DEVCORE Research Team’s Pumpkin exploited an integer overflow vulnerability, earning a $20,000 payout.

Shortly after, Hyunwoo Kim and Wongi Lee demonstrated a root-level exploit by chaining a use-after-free with an information leak. However, due to a bug collision (one of the vulnerabilities was already known), the exploit didn’t qualify for a full reward.

Three Successful Windows 11 Exploits

Chen Le Qi of STARLabs SG took home $30,000 for a sophisticated exploit chain targeting Windows 11, combining a use-after-free with an integer overflow to escalate privileges to SYSTEM level.

Two more SYSTEM-level Windows 11 exploits followed:

• Marcin Wiązowski exploited an out-of-bounds write vulnerability.

• Hyeonjin Choi showcased a type confusion zero-day.

Each demonstration highlighted the fragility of even fully patched Windows systems under real-world attack scenarios.

Oracle VirtualBox and Container Escapes

Team Prison Break earned $40,000 by chaining an integer overflow to escape Oracle VirtualBox and execute code on the host OS.

Summoning Team’s Sina Kheirkhah won $35,000 for exploiting a zero-day in Chroma and a known flaw in Nvidia’s Triton Inference Server.

The day’s biggest individual reward, $60,000, went to Billy and Ramdhan of STARLabs SG. They successfully escaped Docker Desktop using a use-after-free zero-day, executing code on the underlying host OS.

What’s Next at Pwn2Own?

On Day 2, researchers will attempt exploits targeting:

• Microsoft SharePoint

• VMware ESXi

• Mozilla Firefox

• Red Hat Enterprise Linux

• Oracle VirtualBox

Over $1,000,000 in cash and prizes is up for grabs across categories such as:

• AI systems

• Web browsers

• Virtualization

• Local privilege escalation

• Cloud-native/containers

• Enterprise applications

• Automotive systems

Notably, while Tesla Model 3 (2024) and Model Y (2025) units were eligible targets, no exploit attempts were registered at the start of the contest.

Vendors on the Clock

After vulnerabilities are disclosed during Pwn2Own, vendors have 90 days to develop and release patches for the affected software or hardware. The event plays a critical role in responsible disclosure, helping vendors secure their systems before exploits are weaponized in the wild.

Click here for more articles…………