On the opening day of Pwn2Own Berlin 2025, security researchers earned a total of
$260,000 by successfully demonstrating zero-day exploits against Windows 11, Red Hat Linux, and Oracle VirtualBox.
The first successful hack was against Red Hat Enterprise Linux for Workstations, where the DEVCORE Research Team’s Pumpkin exploited an integer overflow vulnerability to achieve local privilege escalation and won $20,000.
Another Red Hat Linux device was compromised by Hyunwoo Kim and Wongi Lee, who chained a use-after-free flaw with an information leak to gain root access. However, one of the bugs used was not a zero-day, leading to a bug collision.
Security researcher Chen Le Qi from STARLabs SG earned $30,000 for chaining a use-after-free vulnerability with an integer overflow to escalate privileges to SYSTEM on a Windows 11 machine.
Windows 11 was breached two more times for SYSTEM access. Marcin Wiązowski used an out-of-bounds write flaw, and Hyeonjin Choi demonstrated a type confusion zero-day.
Team Prison Break received $40,000 for showcasing an integer overflow exploit chain that successfully escaped Oracle VirtualBox, allowing code execution on the host operating system.
Sina Kheirkhah from Summoning Team earned $35,000 by exploiting a Chroma zero-day in combination with a known issue in Nvidia’s Triton Inference Server.
STARLabs SG’s Billy and Ramdhan took home $60,000 for using a use-after-free zero-day to escape Docker Desktop and run code on the host system.
The Pwn2Own Berlin 2025 competition, held from May 15 to May 17 during the OffensiveCon conference, focuses on enterprise technologies and introduces a new AI category.
On the second day, researchers are expected to target zero-days in Microsoft SharePoint, VMware ESXi, Mozilla Firefox, Red Hat Enterprise Linux, and Oracle VirtualBox.
Following disclosure at Pwn2Own, vendors are given 90 days to issue patches for the vulnerabilities revealed.
This year’s participants are targeting fully updated systems across multiple categories, including AI, web browsers, virtualization, local privilege escalation, servers, enterprise software, container technologies, and automotive systems. More than $1 million in rewards is available.
Although the 2024 Tesla Model 3 and 2025 Tesla Model Y were also listed as eligible targets, no exploit attempts were registered against them before the event began.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
