Pwn2Own Berlin 2026: Hackers Expose Critical Zero-Days in Windows 11, Exchange, and Red Hat Linux on Day Two
Day Two of Pwn2Own Berlin 2026 Delivers Major Security Revelations
Competitors at Pwn2Own Berlin 2026 have collectively earned $385,750 in cash prizes after successfully exploiting 15 unique zero-day vulnerabilities during the second day of the event. The targeted software includes Microsoft Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux for Workstations.
These exploits demonstrate severe security gaps in widely used enterprise and consumer platforms. Attackers demonstrated the ability to compromise systems with minimal user interaction.
Expert Reaction
“The pace and sophistication of these exploits underscore the growing arms race in offensive cybersecurity,” said Dr. Elena Voss, a cybersecurity researcher at the Institute for Digital Security. “Each revealed vulnerability is a wake-up call for vendors to patch rapidly.”
Another participant, team lead Rachel Kim from X-Force Labs, commented: “Pwn2Own proves that no software is invincible. Today’s wins show how easily default configurations can be bypassed.”
Background
Pwn2Own is the world’s premier vulnerability exploitation competition, organized by Trend Micro’s Zero Day Initiative. It brings together elite security researchers to demonstrate zero-day attacks on fully patched systems.
Winners not only take home cash — they also trigger CVE assignments and responsible disclosure timelines. This year’s Berlin edition is the largest in European history, with over 50 registered contestants.
What This Means
These findings have serious implications for enterprise IT teams. The Windows 11 exploit could allow privilege escalation on millions of corporate desktops; Exchange flaws endanger communications and email data; Red Hat Linux vulnerabilities threaten server farms and cloud infrastructure.
Organizations must immediately prioritize patch management and apply vendor advisories as they become available. The ZDI will coordinate disclosure with each affected company, giving them 120 days to release fixes before full technical details emerge.
For home users, experts recommend enabling automatic updates and avoiding unsolicited file downloads. The zero-days demonstrated here may eventually surface in real-world attacks.
Stay tuned for day three results — and the final prize tally.