Microsoft Exchange and Windows 11 Security Breached on Second Day of Pwn2Own

Pwn2Own Berlin 2026: A Recap of Day 2

On the second day of Pwn2Own Berlin 2026, cybersecurity competitors showcased their skills and expertise by exploiting 15 zero-day vulnerabilities across various products, such as Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux for Workstations. The total cash awards amounted to an impressive $385,750.

The prestigious hacking competition, held at the OffensiveCon conference from May 14 to May 16, focused on enterprise technologies and artificial intelligence. Security researchers had the opportunity to earn over $1,000,000 in cash and prizes by identifying and exploiting vulnerabilities in fully patched products in different categories.

According to the rules of Pwn2Own, all targeted devices ran the latest operating system versions, and participants were required to compromise the target and demonstrate arbitrary code execution. Vendors were given a 90-day window to patch their software and hardware after the zero-day vulnerabilities were disclosed at the event.

One of the standout moments of the second day was when Cheng-Da Tsai, also known as Orange Tsai, from DEVCORE Research Team, earned a substantial $200,000 by chaining three bugs to achieve remote code execution with SYSTEM privileges on Microsoft Exchange.

Other notable exploits included Siyeon Wi exploiting an integer overflow bug to hack Windows 11 and Ben Koo of Team DDOS escalating privileges to root on Red Hat Enterprise Linux for Workstations, earning $7,500 and $10,000 respectively. Additionally, 0xDACA and Noam Trobishi used a use-after-free bug to exploit the NVIDIA Container Toolkit.

In the AI category, Le Duc Anh Vu of Viettel Cyber Security successfully hacked the Cursor AI coding agent for a $30,000 prize. Sina Kheirkhah of Summoning Team demonstrated a zero-day exploit on OpenAI Codex, earning $20,000, while Compass Security exploited Cursor for a $15,000 reward.

Orange Tsai continued his winning streak on the first day, earning an additional $175,000 by chaining 4 logic bugs for a Microsoft Edge sandbox escape. Valentina Palmiotti of IBM X-Force Offensive Research also made her mark by collecting $20,000 for rooting Red Hat Linux for Workstations and $50,000 for a zero-day exploit on the NVIDIA Container Toolkit.

Windows 11 faced multiple hacks on day one, with Angelboy and TwinkleStar03, Kentaro Kawane, and Marcin Wiązowski each earning $30,000 for demonstrating new privilege-escalation zero-days.

As the competition progresses, the third day of Pwn2Own will see hackers targeting Microsoft Windows 11, VMware ESXi, Red Hat Enterprise Linux, Microsoft SharePoint, and various AI coding agents.

For a detailed schedule of the second day and the results of each challenge, visit the official Pwn2Own website. The complete schedule for Pwn2Own Berlin 2026 is also accessible on their platform.

In the previous year’s Pwn2Own Berlin contest, TrendMicro’s Zero Day Initiative awarded $1,078,750 for 29 zero-day vulnerabilities and bug collisions, highlighting the increasing importance of cybersecurity in today’s digital landscape.