Pwn2Own Berlin 2026: Second Day Yields $385K in Zero-Day Exploits Against Windows 11, Exchange, and RHEL
Breaking: Hackers Earn $385,750 by Exploiting 15 Zero-Days at Pwn2Own
On the second day of Pwn2Own Berlin 2026, security researchers collectively earned $385,750 after successfully exploiting 15 unique zero-day vulnerabilities in widely used software, including Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux for Workstations.
The contest, organized by Trend Micro's Zero Day Initiative, is a key event in the cybersecurity calendar. Participants demonstrate real-world exploits against fully patched systems, with vendors given 90 days to fix disclosed flaws.
Windows 11 Takes the Hardest Hits
Three separate teams targeted Windows 11, chainning elevation-of-privilege and remote code execution bugs. "Microsoft's latest OS continues to be a top target," said Dustin Childs, ZDI communications manager. "The complexity of these attacks shows that even mature platforms have hidden gaps."
One exploit, worth $100,000, breached Windows 11’s kernel via a novel memory corruption flaw. Another team used a browser-to-system escalation path to bypass two key security layers.
Microsoft Exchange Under Siege
Microsoft Exchange Server faced two critical zero-days—an SSRF vulnerability and a deserialization bug—that allowed full mailbox access. "Exchange remains a high-value prize for attackers because of its pervasive role in enterprise communication," noted Samantha Novak, a lead researcher at Trail of Bits.
The Exchange exploits each earned researchers $75,000 and were demonstrated against fully updated servers.
Red Hat Enterprise Linux Hit Twice
Red Hat Enterprise Linux for Workstations suffered two kernel-level exploits that granted attackers root privileges. One attack used a race condition in the scheduler, while another abused a flaw in the RHEL-specific SELinux integration.
"Linux has historically been perceived as safer, but these findings show that even hardened systems are not immune when attackers dig deep enough," said Alexei Volkov, a senior security engineer at Sysdig.
Background
Pwn2Own Berlin 2026 is a three-day competition where security researchers compete to find and demonstrate zero-day exploits. The event is separated into consumer and enterprise categories and follows strict rules: all exploits must work against fully patched, default-install software.
The first day saw over $400,000 awarded for attacks on Google Chrome, Apple Safari, and VMware ESXi. The total prize purse for the event is $1.5 million, with additional bonuses for chain exploits and use-after-free vulnerabilities.
What This Means
The second day results underscore that zero-day vulnerabilities remain a persistent risk even for the latest operating systems and email platforms. Enterprises that rely on Windows 11, Exchange, or RHEL should prepare for critical security updates over the next 90 days.
"Each of these bugs represents a real threat vector that malicious hackers could have weaponized," explained Maria Chen, a cybersecurity analyst at Theia. "The responsible disclosure process helps but organizations need to patch quickly." Teams qualifying for the final day will now target industrial control systems and server hypervisors.
The full list of exploited products includes Windows 11 (three separate vulnerabilities), Microsoft Exchange Server (two), Red Hat Enterprise Linux for Workstations (two), as well as Adobe Reader, Oracle VirtualBox, and the Foxit PDF Reader. All vendors have been notified and will release patches before the 90-day deadline.
Read more about the first day results and stay tuned for our coverage of day three, where the focus shifts to SCADA and IoT devices.