Pwn2Own Berlin 2025 Kicks Off with $260,000 in Rewards for Zero-Day Exploits on Windows, Linux, and VirtualBox

The Pwn2Own Berlin 2025 hacking contest opened with a bang as security researchers earned a combined \$260,000 for demonstrating zero-day vulnerabilities on major enterprise platforms including Windows 11, Red Hat Linux, and Oracle VirtualBox. This prestigious event, held alongside OffensiveCon from May 15 to 17, spotlights the latest in cyber defense by challenging experts to find and exploit weaknesses in fully patched systems. With an expanded focus on AI-related technologies, the competition is setting the stage for crucial advancements in securing today’s complex digital landscape.

Starting strong on day one, the DEVCORE Research Team’s Pumpkin took down Red Hat Enterprise Linux for Workstations through an integer overflow vulnerability in the local privilege escalation category, earning a \$20,000 reward. Meanwhile, researchers Hyunwoo Kim and Wongi Lee achieved root access on another Red Hat Linux system by chaining a use-after-free flaw with an information leak—though one exploited vulnerability was classified as an N-day, leading to a “bug collision” designation by organizers.

Windows 11 also faced multiple breaches. Chen Le Qi from STARLabs SG scored \$30,000 by combining a use-after-free vulnerability with an integer overflow to escalate privileges to SYSTEM level. Additional Windows 11 attacks came from Marcin Wiązowski, exploiting an out-of-bounds write, and Hyeonjin Choi, who used a type confusion zero-day flaw.

In the virtualization arena, Team Prison Break earned \$40,000 by escaping Oracle VirtualBox through an integer overflow exploit that allowed code execution on the host OS. Summoning Team’s Sina Kheirkhah secured \$35,000 for a zero-day vulnerability in Chroma paired with a known bug in Nvidia’s Triton Inference Server. Meanwhile, STARLabs SG’s duo, Billy and Ramdhan, pocketed \$60,000 for escaping Docker Desktop using a use-after-free zero-day vulnerability.

The contest isn’t just about catching hackers in the act; it also sets a 90-day window for vendors to patch these serious vulnerabilities. Throughout the competition, participants will continue targeting a range of systems including Microsoft SharePoint, VMware ESXi, Mozilla Firefox, and other critical enterprise software. Over \$1 million in cash and prizes is up for grabs across categories like AI, virtualization, browsers, local privilege escalations, cloud-native environments, and even automotive systems, though no attempts were made on Tesla’s 2024 Model 3 or 2025 Model Y units during day one.

What Undercode Say:

Pwn2Own Berlin 2025 highlights the ongoing arms race between security researchers and software vendors. The early success in exploiting fully patched systems underscores how attackers can find hidden paths into even hardened environments. Integer overflow and use-after-free vulnerabilities continue to be common attack vectors, demonstrating the persistent challenge of securing memory management in complex operating systems and virtualization software.

The presence of an N-day bug—vulnerabilities already known and patched but still exploitable in certain setups—raises important questions about patch deployment and real-world system hygiene. It’s not enough for vendors to patch vulnerabilities; enterprises must rapidly apply these patches to prevent exploitation, or attackers will exploit these known holes with ease.

Moreover, the introduction of AI-related categories is a timely evolution of the contest. As artificial intelligence becomes embedded in enterprise tools and critical infrastructure, identifying weaknesses before malicious actors do will be essential. This focus anticipates a future where AI-specific exploits could disrupt services or compromise data in ways traditional vulnerabilities cannot.

The competition also sheds light on the growing complexity of modern IT environments. Researchers targeting containerization platforms like Docker and virtualization software such as Oracle VirtualBox reflect how attackers increasingly leverage weaknesses in these foundational technologies to bypass traditional security boundaries. Container escapes and virtualization breakout exploits reveal that security in cloud-native and virtualized environments demands a layered and vigilant approach.

It’s noteworthy that no attempts were made on Tesla’s automotive targets. This might reflect the extreme difficulty of automotive hacking or strategic decisions by participants to focus on enterprise targets with higher reward potential. Still, with connected cars becoming increasingly software-dependent, future contests will likely see a surge in automotive-focused exploits.

The Pwn2Own framework of public disclosure with a 90-day patch timeline ensures that successful exploits translate into real-world security improvements. However, with more than \$1 million in prizes at stake, the competition also fuels an underground economy of zero-day trading, as some vulnerabilities can command much higher prices in less transparent markets.

This event is a stark reminder to organizations about the importance of continuous security research, rapid patching, and investment in defensive technologies. It also signals how attackers evolve by chaining vulnerabilities across multiple layers—highlighting the need for comprehensive threat modeling and advanced detection capabilities in enterprise environments.

Fact Checker Results:

The vulnerabilities exploited include both zero-day and N-day types, with the latter indicating known but unpatched flaws. ✅
The total prize money awarded on day one matches official Pwn2Own Berlin 2025 announcements. ✅
No hacking attempts were recorded on Tesla’s 2024 Model 3 or 2025 Model Y units during the first day. ✅

Prediction:

As Pwn2Own Berlin 2025 progresses, expect to see increasing focus on AI-powered software vulnerabilities alongside traditional enterprise targets. The competition will likely drive rapid patches across major platforms, pushing vendors to harden their systems more aggressively. However, as attackers refine multi-vulnerability chains and exploit emerging AI weaknesses, enterprises must prepare for a growing wave of sophisticated attacks. Future Pwn2Own events may also witness a surge in automotive and IoT exploit attempts as these sectors mature and attract more security researchers and threat actors alike.