Pwn2Own Berlin 2026 Day Two: Record Zero-Day Exploits Hit Windows 11, Exchange, and Red Hat

Introduction

The second day of Pwn2Own Berlin 2026 saw competitors earn substantial rewards as they successfully exploited 15 distinct zero-day vulnerabilities across a range of popular software. The event, which is widely regarded as the premier hacking competition, highlights the critical importance of proactive security research. On this day alone, participants walked away with $385,750 in cash prizes after targeting major platforms including Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux for Workstations.

Pwn2Own Berlin 2026 Day Two: Record Zero-Day Exploits Hit Windows 11, Exchange, and Red Hat — Source: www.bleepingcomputer.com

Key Exploits and Vulnerabilities

Windows 11 Under Fire

Among the most notable exploits was a chain of vulnerabilities in Windows 11 that allowed researchers to achieve full system compromise from a remote or local environment. One team demonstrated a privilege escalation flaw that bypassed Microsoft's latest security mitigations, including Virtualization-Based Security (VBS) and Kernel Data Protection. Another exploit targeted the Windows Kernel, gaining elevated privileges and executing arbitrary code without triggering Windows Defender.

Microsoft Exchange Server Breached

On the enterprise side, Microsoft Exchange Server was successfully compromised. Researchers leveraged a pre-authentication remote code execution (RCE) vulnerability in the OWA (Outlook Web Access) module. The exploit chain bypassed Microsoft's attack surface reduction features, allowing attackers to read, modify, and exfiltrate email data as well as take full control of the server. This vulnerability is especially concerning for organizations relying on Exchange for critical communications.

Red Hat Enterprise Linux for Workstations

The competition also featured exploits against Red Hat Enterprise Linux 9 for Workstations. A duo from Team Synacktiv demonstrated a kernel-level flaw in the eBPF (extended Berkeley Packet Filter) subsystem. By chaining a memory corruption bug with a race condition, they achieved sandbox escape and lateral movement within the system. This marks one of the first successful eBPF-based exploits at Pwn2Own, signaling a new frontier in Linux security research.

Competition Structure and Awards

Day Two Rewards

The $385,750 awarded on day two brought the total prize pool for the week to over $1.2 million. Prizes are determined by the severity and complexity of the exploit. For example, a full chain of vulnerabilities in Windows 11 earned the highest single payout of $150,000, while the Exchange exploit netted $100,000. The Red Hat compromise was awarded $50,000 due to its innovative approach and difficulty.

Categories and Targets

Pwn2Own is organized into specific categories including Web Browsers, Virtualization, Enterprise Applications, and Operating Systems. Day two focused heavily on the Enterprise Applications and Operating Systems categories. Other products targeted during the day included VMware ESXi and Google Chrome, though those exploits were not fully detailed in the initial releases.

Implications for Enterprise Security

Zero-Day Discovery and Disclosure

All vulnerabilities discovered during Pwn2Own are disclosed to the respective vendors immediately, with a 90-day embargo before public disclosure. This allows companies like Microsoft and Red Hat to develop and deploy patches. The rapid discovery of these zero-days underscores the importance of continuous vulnerability research and highlights gaps in existing security measures. Enterprises running affected software should prioritize applying updates as soon as they become available.

Lessons for IT Administrators

IT teams can learn from this year's exploits by focusing on defense in depth. For Windows 11, enabling Credential Guard and vTPM could mitigate some attack vectors. For Exchange, implementing multi-factor authentication and restricting OWA exposure through VPNs or conditional access can reduce risk. For Red Hat Linux, monitoring eBPF program usage via auditd and employing kernel module signing can help prevent similar exploits.

Looking Ahead: The Final Day

With day two concluded, attention turns to the final day of Pwn2Own Berlin 2026, which will feature virtualization breakout exploits and car hacking categories. Researchers are expected to target VMware Workstation, Microsoft Hyper-V, and even Tesla Infotainment systems. The total prize pot may exceed $2 million by the end of the event, making it one of the largest bug bounty competitions in history.

Conclusion

The second day of Pwn2Own Berlin 2026 has already delivered critical security insights. The successful exploitation of Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux demonstrates that even well-patched environments remain vulnerable to skilled researchers. For the cybersecurity community, these findings are a valuable reminder that zero-day vulnerabilities are an ongoing threat, and that responsible disclosure—coupled with rapid patching—is the best line of defense.

For more details on the first day's exploits, see our coverage of Pwn2Own Berlin 2026 Day One.

Tags: