What happened
Pwn2Own Berlin 2026 concluded with white hat hackers earning $1,298,250 for 47 unique vulnerabilities across Windows, Linux, VMware, Nvidia, and AI products, according to TrendAI’s Zero Day Initiative. The event saw nearly $750,000 awarded to the top two teams alone.
Devcore took the top position, earning $200,000 for a remote code execution exploit with SYSTEM privileges on Microsoft Exchange, $175,000 for a Microsoft Edge sandbox escape, and $100,000 for a Microsoft SharePoint exploit. StarLabs SG earned $200,000 for a VMware ESX exploit that included a cross-tenant code execution component. Out of Bounds placed third with $95,750.
The AI product category drew significant participation, with successful exploits demonstrated against LiteLLM, OpenAI Codex, LM Studio, Cursor, Ollama, Claude Code, NVIDIA Megatron Bridge, and Chroma. Rewards in this category ranged from $15,000 to $40,000. Additional exploits targeting Red Hat Linux, Windows 11, and NVIDIA Container Toolkit earned between $2,500 and $50,000. There were eight failed attempts across targets including Oracle Autonomous AI Database, Firefox, Safari, and VMware ESX. Several research teams were unable to register due to all time slots being taken, with some choosing to disclose findings directly to vendors and others beginning public disclosure of their exploits.
Who is affected
Vendors whose products were successfully exploited face immediate patch development obligations under ZDI’s coordinated disclosure process. Organizations running Microsoft Exchange, Edge, SharePoint, VMware ESX, and the AI platforms targeted at the event should monitor vendor security advisories for patches addressing the demonstrated vulnerabilities. The public disclosure path taken by some researchers who could not register creates additional urgency for unpatched findings.
Why CISOs should care
The volume and breadth of successful exploits at Pwn2Own Berlin reflects the same AI-accelerated vulnerability discovery trend driving record Microsoft patch counts and the Copy Fail and Dirty Frag Linux disclosures. The AI product category results are particularly relevant: successful exploits against LiteLLM, OpenAI Codex, Claude Code, and other AI infrastructure tools confirm that the AI development stack is an active and productive target for skilled researchers and, by extension, for threat actors using the same techniques.
The cross-tenant VMware ESX exploit earning the maximum $200,000 payout also warrants attention for organizations running shared virtualization infrastructure, where tenant isolation is a foundational security assumption.
3 practical actions
- Monitor ZDI and vendor security advisories for patches addressing Pwn2Own Berlin findings: Vendors have 90 days from ZDI notification to release patches before public disclosure. Track advisories from Microsoft, VMware, Red Hat, NVIDIA, and the affected AI platform vendors and prioritize patching as fixes become available, with Exchange and ESX vulnerabilities warranting the highest urgency given their demonstrated exploit severity.
- Assess AI development tool deployments for exposure from demonstrated vulnerabilities: Successful exploits against LiteLLM, OpenAI Codex, Claude Code, and LM Studio confirm these platforms carry exploitable vulnerabilities. Review which AI tools are deployed in your environment, monitor vendor patch releases for these platforms specifically, and apply updates promptly given the active research interest in this category.
- Treat public disclosures from unregistered researchers as zero-day exposure requiring immediate response: Some researchers who could not register for Pwn2Own began publicly disclosing their exploits directly. Monitor security researcher feeds and vulnerability disclosure platforms for Pwn2Own-related public disclosures that may not follow the standard 90-day coordinated disclosure timeline.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.