In the course of the second day of Pwn2Own Berlin 2025, rivals earned $435,000 after exploiting zero-day bugs in a number of merchandise, together with Microsoft SharePoint, VMware ESXi, Oracle VirtualBox, Purple Hat Enterprise Linux, and Mozilla Firefox.
The spotlight was a profitable try from Nguyen Hoang Thach of STARLabs SG in opposition to the VMware ESXi, which earned him $150,000 for an integer overflow exploit.
Dinh Ho Anh Khoa of Viettel Cyber Safety was awarded $100,000 for hacking Microsoft SharePoint by leveraging an exploit chain combining an auth bypass and an insecure deserialization flaw.
Palo Alto Networks’ Edouard Bochin and Tao Yan additionally demoed an out-of-bounds write zero-day in Mozilla Firefox, whereas Gerrard Tai of STAR Labs SG escalated privileges to root on Purple Hat Enterprise Linux utilizing a use-after-free bug, and Viettel Cyber Safety used one other out-of-bounds write for an Oracle VirtualBox guest-to-host escape.
Within the AI class, Wiz Analysis safety researchers used a use-after-free zero-day to use Redis and Qrious Safe chained 4 safety flaws to hack Nvidia’s Triton Inference Server.
On the primary day, rivals had been awarded $260,000 after efficiently exploiting zero-day vulnerabilities in Home windows 11, Purple Hat Linux, and Oracle VirtualBox, reaching a complete of $695,000 earned over the primary two days of the competition after demonstrating 20 distinctive 0-days.
​​​The Pwn2Own Berlin 2025 hacking competitors focuses on enterprise applied sciences, introduces an AI class for the primary time, and takes place through the OffensiveCon convention between Might 15 and Might 17.
Safety researchers will have the ability to earn over $1,000,000 in rewards for demonstrating zero-day bugs in absolutely patched merchandise within the AI, internet browser, virtualization, native privilege escalation, servers, enterprise purposes, cloud-native/container, and automotive classes.
Nevertheless, no Tesla makes an attempt had been registered earlier than Pwn2Own began, regardless that two 2025 Tesla Mannequin Y and 2024 Tesla Mannequin 3 bench-top items had been additionally accessible as targets.
On the final day of the competition, the hackers will try to use zero-day bugs in Home windows 11, Oracle VirtualBox, VMware ESXi, VMware Workstation, Mozilla Firefox, in addition to Nvidia’s Triton Inference Server and Container Toolkit.
After zero-day exploits are disclosed through the Pwn2Own contest, distributors have 90 days to launch safety fixes for his or her software program and {hardware} merchandise earlier than Pattern Micro’s Zero Day Initiative publishes technical particulars.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and defend in opposition to them.
