On the primary day of Pwn2Own Berlin 2025, safety researchers had been awarded $260,000 after efficiently demonstrating zero-day exploits for Home windows 11, Crimson Hat Linux, and Oracle VirtualBox.
Crimson Hat Enterprise Linux for Workstations was the primary to fall within the native privilege escalation class after DEVCORE Analysis Group’s Pumpkin exploited an integer overflow vulnerability to earn $20,000.
Hyunwoo Kim and Wongi Lee additionally obtained root on a Crimson Hat Linux gadget by chaining a use-after-free and an data leak, however one of many exploited flaws was an N-day, which led to a bug collision.
Subsequent, Chen Le Qi of STARLabs SG was awarded $30,000 for an exploit chain combining a use-after-free and an integer overflow to escalate privileges to SYSTEM on a Home windows 11 system.
Home windows 11 was hacked twice extra to realize SYSTEM privileges by Marcin Wiązowski, who exploited an out-of-bounds write vulnerability, and Hyeonjin Choi, who demoed a kind confusion zero-day.
Group Jail Break earned $40,000 after demoing an exploit chain that used an integer overflow to flee Oracle VirtualBox and execute code on the underlying working system.
Summoning Group’s Sina Kheirkhah was awarded one other $35,000 for a Chroma zero-day and an already identified vulnerability in Nvidia’s Triton Inference Server, whereas STARLabs SG’s Billy and Ramdhan earned $60,000 for escaping Docker Desktop and executing code on the underlying OS utilizing a use-after-free zero-day.
The Pwn2Own Berlin 2025 hacking competitors, which focuses on enterprise applied sciences and introduces an AI class, takes place in Berlin between Could 15 and Could 17, through the OffensiveCon convention.
On the second day, safety researchers will attempt to exploit zero-days in Microsoft SharePoint, VMware ESXi, Mozilla Firefox, Crimson Hat Enterprise Linux for Workstations, and Oracle VirtualBox.
After the zero-day vulnerabilities are demoed and disclosed throughout Pwn2Own, distributors have 90 days to launch safety fixes for his or her software program and {hardware} merchandise.
Pwn2Own contestants will goal absolutely patched merchandise within the AI, net browser, virtualization, native privilege escalation, servers, enterprise purposes, cloud-native/container, and automotive classes, and can be capable to earn over $1,000,000 in money and prizes.
Nonetheless, whereas the 2024 Tesla Mannequin 3 and the 2025 Tesla Mannequin Y bench-top models had been additionally accessible as targets, no makes an attempt have been registered earlier than the competitors began.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and learn how to defend towards them.
