Pwn2Own Berlin 2026 Day Two: Record Zero-Day Exploits Hit Windows 11, Exchange, and Red Hat
Introduction
The second day of Pwn2Own Berlin 2026 saw competitors earn substantial rewards as they successfully exploited 15 distinct zero-day vulnerabilities across a range of popular software. The event, which is widely regarded as the premier hacking competition, highlights the critical importance of proactive security research. On this day alone, participants walked away with $385,750 in cash prizes after targeting major platforms including Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux for Workstations.
Key Exploits and Vulnerabilities
Windows 11 Under Fire
Among the most notable exploits was a chain of vulnerabilities in Windows 11 that allowed researchers to achieve full system compromise from a remote or local environment. One team demonstrated a privilege escalation flaw that bypassed Microsoft's latest security mitigations, including Virtualization-Based Security (VBS) and Kernel Data Protection. Another exploit targeted the Windows Kernel, gaining elevated privileges and executing arbitrary code without triggering Windows Defender.
Microsoft Exchange Server Breached
On the enterprise side, Microsoft Exchange Server was successfully compromised. Researchers leveraged a pre-authentication remote code execution (RCE) vulnerability in the OWA (Outlook Web Access) module. The exploit chain bypassed Microsoft's attack surface reduction features, allowing attackers to read, modify, and exfiltrate email data as well as take full control of the server. This vulnerability is especially concerning for organizations relying on Exchange for critical communications.
Red Hat Enterprise Linux for Workstations
The competition also featured exploits against Red Hat Enterprise Linux 9 for Workstations. A duo from Team Synacktiv demonstrated a kernel-level flaw in the eBPF (extended Berkeley Packet Filter) subsystem. By chaining a memory corruption bug with a race condition, they achieved sandbox escape and lateral movement within the system. This marks one of the first successful eBPF-based exploits at Pwn2Own, signaling a new frontier in Linux security research.
Competition Structure and Awards
Day Two Rewards
The $385,750 awarded on day two brought the total prize pool for the week to over $1.2 million. Prizes are determined by the severity and complexity of the exploit. For example, a full chain of vulnerabilities in Windows 11 earned the highest single payout of $150,000, while the Exchange exploit netted $100,000. The Red Hat compromise was awarded $50,000 due to its innovative approach and difficulty.
Categories and Targets
Pwn2Own is organized into specific categories including Web Browsers, Virtualization, Enterprise Applications, and Operating Systems. Day two focused heavily on the Enterprise Applications and Operating Systems categories. Other products targeted during the day included VMware ESXi and Google Chrome, though those exploits were not fully detailed in the initial releases.
Implications for Enterprise Security
Zero-Day Discovery and Disclosure
All vulnerabilities discovered during Pwn2Own are disclosed to the respective vendors immediately, with a 90-day embargo before public disclosure. This allows companies like Microsoft and Red Hat to develop and deploy patches. The rapid discovery of these zero-days underscores the importance of continuous vulnerability research and highlights gaps in existing security measures. Enterprises running affected software should prioritize applying updates as soon as they become available.
Lessons for IT Administrators
IT teams can learn from this year's exploits by focusing on defense in depth. For Windows 11, enabling Credential Guard and vTPM could mitigate some attack vectors. For Exchange, implementing multi-factor authentication and restricting OWA exposure through VPNs or conditional access can reduce risk. For Red Hat Linux, monitoring eBPF program usage via auditd and employing kernel module signing can help prevent similar exploits.
Looking Ahead: The Final Day
With day two concluded, attention turns to the final day of Pwn2Own Berlin 2026, which will feature virtualization breakout exploits and car hacking categories. Researchers are expected to target VMware Workstation, Microsoft Hyper-V, and even Tesla Infotainment systems. The total prize pot may exceed $2 million by the end of the event, making it one of the largest bug bounty competitions in history.
Conclusion
The second day of Pwn2Own Berlin 2026 has already delivered critical security insights. The successful exploitation of Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux demonstrates that even well-patched environments remain vulnerable to skilled researchers. For the cybersecurity community, these findings are a valuable reminder that zero-day vulnerabilities are an ongoing threat, and that responsible disclosure—coupled with rapid patching—is the best line of defense.
For more details on the first day's exploits, see our coverage of Pwn2Own Berlin 2026 Day One.
Related Articles
- AI Agent Identity Theft Surges as Enterprise Security Blind Spot, 1Password CTO Warns
- April 2026 Patch Tuesday: Microsoft Fixes 167 Flaws, Including Actively Exploited Zero-Days
- Linux Kernel Maintainers Address Dirty Frag Vulnerabilities with Latest Stable Releases
- Critical Dell Zero-Day Under Active Exploitation by Chinese-Linked Hackers; New Malware GRIMBOLT Emerges
- How to Respond to a Critical Remote Code Execution Vulnerability in Your Git Push Pipeline
- A Practical Guide to Mitigating Iranian Cyber Threats: Phishing, Hacktivism, and Cybercrime
- NSA's Inglis Reflects on Snowden Leaks: Lessons for Security Leaders a Decade Later
- AI-Driven Security: How Claude Mythos Uncovered Hundreds of Firefox Vulnerabilities