The second day of Pwn2Own Berlin 2026 concluded with security researchers collecting $385,750 in prize money after successfully exploiting 15 distinct zero-day vulnerabilities. Products that fell to skilled hackers included Microsoft Exchange, Windows 11, Red Hat Enterprise Linux for Workstations, the NVIDIA Container Toolkit, and two popular AI coding assistants. The results from pwn2own day 2 highlight a clear trend in competitive hacking: attackers are moving beyond single-bug exploits to chain multiple vulnerabilities together for maximum impact. Each targeted device ran the latest operating system version, and every entry had to demonstrate arbitrary code execution to qualify for a prize.
Key Vulnerabilities Exploited on pwn2own day 2
Microsoft Exchange Falls to a Three-Bug Chain
The standout achievement of pwn2own day 2 belonged to Cheng-Da Tsai, widely known as Orange Tsai, from the DEVCORE Research Team. He earned $200,000 by chaining three separate bugs to achieve remote code execution with SYSTEM privileges on a fully patched Microsoft Exchange server. This kind of attack is especially dangerous because Exchange servers sit at the heart of most enterprise communication systems. A successful compromise could give an attacker access to email, calendars, contacts, and potentially the entire corporate directory. The three-bug chain approach demonstrates that modern exploit development requires more than finding a single flaw. Researchers must understand how different components of a system interact and how to pivot from one vulnerability to the next. For IT administrators, this serves as a reminder that even fully patched software can be vulnerable when multiple weaknesses are combined in a creative sequence.
Windows 11 Integer Overflow
Siyeon Wi earned $7,500 for exploiting an integer overflow vulnerability in Windows 11. Integer overflows happen when a program tries to store a value larger than the maximum the variable can hold, which can lead to unexpected behavior and, in this case, code execution. While the payout is modest compared to the Exchange exploit, every Windows 11 vulnerability matters to IT administrators managing hundreds or thousands of devices. The fact that Windows 11 was also hacked three times on day one by Angelboy and TwinkleStar03 (working with the DEVCORE Internship Program), Kentaro Kawane of GMO Cybersecurity, and Marcin Wiązowski confirms that Microsoft’s flagship OS remains an active target. Each of those researchers earned $30,000 for demonstrating new privilege-escalation zero-days, bringing the total Windows 11 prize pool across both days to $97,500.
Red Hat Enterprise Linux Privilege Escalation
Ben Koo of Team DDOS earned $10,000 for escalating privileges to root on Red Hat Enterprise Linux for Workstations. Privilege escalation bugs allow an attacker with limited access to gain full administrative control over a system. For organizations running RHEL in production, this type of vulnerability poses a serious risk because a compromised user account can quickly become a full server takeover. The $10,000 payout reflects the difficulty of finding and exploiting a reliable privilege-escalation path on a modern Linux kernel running the latest updates. On day one, Valentina Palmiotti of IBM X-Force Offensive Research also earned $20,000 for rooting Red Hat Linux for Workstations, showing that RHEL attracted attention from multiple researchers throughout the competition.
NVIDIA Container Toolkit Use-After-Free
Researchers 0xDACA and Noam Trobishi teamed up to exploit a use-after-free bug in the NVIDIA Container Toolkit. Use-after-free vulnerabilities occur when a program continues to reference memory after it has been freed, which can allow an attacker to execute arbitrary code. Container environments are increasingly common in cloud-native deployments, making toolkit vulnerabilities particularly valuable to attackers targeting enterprise infrastructure. Valentina Palmiotti had also earned $50,000 on day one for a separate NVIDIA Container Toolkit zero-day, underscoring the growing interest in container security among top researchers.
AI Coding Agents Take Center Stage on pwn2own day 2
One of the most notable developments during pwn2own day 2 was the inclusion of AI coding agents as official targets. For the first time, the competition featured a dedicated category for large language model powered development tools. Three successful demonstrations earned a combined $65,000, signaling that the security community views AI coding assistants as a serious and emerging attack surface.
Cursor AI Hacked Twice
Le Duc Anh Vu of Viettel Cyber Security earned $30,000 for hacking the Cursor AI coding agent. Compass Security also exploited Cursor for $15,000. This means Cursor was successfully targeted twice on the same day, netting a combined $45,000 for two different teams. The presence of multiple successful exploits against the same product suggests that AI coding agents may introduce vulnerabilities that differ significantly from traditional software. These tools often run with elevated permissions, access local file systems, and execute code on behalf of the user, creating a broad attack surface that researchers are only beginning to explore.
OpenAI Codex Zero-Day
Sina Kheirkhah of the Summoning Team demonstrated a zero-day vulnerability in OpenAI Codex, earning $20,000. Codex, which powers features like GitHub Copilot, generates code based on natural language prompts. A vulnerability in such a tool could potentially allow an attacker to inject malicious instructions into generated code, affecting every developer who trusts the output. The $20,000 payout reflects the novelty of this attack surface and the difficulty of finding exploitable flaws in a system that is constantly being updated and refined.
What pwn2own day 2 Reveals About Modern Exploit Techniques
The 15 zero-days demonstrated on pwn2own day 2 offer a window into how professional hackers approach modern software security. Three patterns stand out across the day’s results: bug chaining, targeting of enterprise infrastructure, and the emergence of AI as a distinct vulnerability class.
The Art of Chaining Multiple Bugs
Orange Tsai’s $200,000 win is a textbook example of why single-bug exploits are becoming less common in high-stakes hacking. Modern software includes multiple layers of defenses such as address space layout randomization, data execution prevention, and control flow guard. A single vulnerability often cannot bypass all of these protections. By chaining three bugs, Tsai was able to bypass each layer in sequence, ultimately achieving SYSTEM-level code execution on a fully patched Exchange server. This technique requires deep knowledge of the target’s internals and a methodical approach to discovery. For defenders, the implication is clear: patching individual vulnerabilities is not enough. Security teams must also consider how different bugs could be combined by an attacker who has time and motivation to study the system.
You may also enjoy reading: Automotive Tech Programs at South Plains College: Certificate vs. Associate Degree.
Why Enterprise Software Attracts Top Hackers
Every product targeted on pwn2own day 2 is widely deployed in enterprise environments. Microsoft Exchange alone is used by hundreds of thousands of organizations globally. Red Hat Enterprise Linux powers critical infrastructure in finance, healthcare, and government. The NVIDIA Container Toolkit is used in GPU accelerated cloud environments for machine learning workloads. When a researcher demonstrates a zero-day in one of these products, the practical impact on real-world security is immediate. Vendors have 90 days to release patches after disclosure, which means organizations must move quickly to protect themselves. The high prize amounts reflect the real-world value of these vulnerabilities on the black market, where a single Exchange zero-day could sell for several times the competition prize.
Practical Steps for IT Teams While Waiting for Patches
Vendors have 90 days to patch the 15 zero-days disclosed during pwn2own day 2. That timeline may feel generous, but exploit code often circulates within security communities much faster. Organizations running affected products should take proactive steps now rather than waiting for an official update.
Securing Microsoft Exchange
For IT administrators responsible for Exchange servers, the three-bug chain demonstrated by Orange Tsai should prompt immediate action. Begin by reviewing recent authentication logs for unusual activity, especially around mail flow and administrative access. Enable extended protection on Exchange servers if it is not already active. Consider deploying a web application firewall in front of Exchange to filter potentially malicious requests. Review all mailbox permissions and remove any accounts with administrative roles that do not require them. If possible, enable auditing for PowerShell cmdlets executed against Exchange, as many exploit chains use PowerShell for post-exploitation activity. Finally, ensure that Exchange is running the most recent cumulative update and security hotfix, even though the disclosed bugs are zero-days that will require a future patch.
Protecting Windows 11 Workstations
The integer overflow vulnerability exploited by Siyeon Wi on Windows 11, along with the three privilege-escalation bugs from day one, means organizations should prioritize endpoint hardening. Enable virtualization-based security features such as Hypervisor-Protected Code Integrity and Credential Guard if hardware supports them. Review local privilege escalation attack surfaces by restricting which users can run administrative tools. Deploy application control policies using Windows Defender Application Control or AppLocker to block unauthorized executables. Ensure that Microsoft Defender for Endpoint is configured with cloud-delivered protection and behavioral monitoring enabled. For organizations using Windows 11 in enterprise environments, consider enabling attack surface reduction rules that specifically target common privilege escalation techniques.
Monitoring AI Tool Usage
With a combined $65,000 awarded for exploits against Cursor and OpenAI Codex on pwn2own day 2, organizations should review how AI coding agents are deployed within their development workflows. Restrict AI coding tools to isolated development environments that do not have direct access to production systems. Audit the permissions granted to these tools local file system access, network access, and execution privileges should be minimized. Monitor the code generated by AI assistants for suspicious patterns such as unexpected network connections or file writes. Educate developers about the risks of blindly accepting AI generated code without review. Consider implementing a policy that requires human review of all AI generated code before it is merged into production branches.
The Bigger Picture: Pwn2Own in Context
The $385,750 awarded on pwn2own day 2 is part of a larger competition that spans three days and covers more than a dozen product categories. Day one saw Orange Tsai earn an additional $175,000 for a Microsoft Edge sandbox escape using four logic bugs, and Valentina Palmiotti collect $70,000 across two exploits. By the end of day two, the total prize money awarded exceeded $560,000, with day three still ahead. The final day of Pwn2Own Berlin 2026 will target Microsoft Windows 11, VMware ESXi, Red Hat Enterprise Linux, Microsoft SharePoint, and several AI coding agents. Last year’s Pwn2Own Berlin contest awarded $1,078,750 for 29 zero-day flaws, and this year’s event is on track to match or exceed that figure.
The 90 day disclosure rule ensures that every vulnerability demonstrated at the competition will eventually be patched. For the broader security community, Pwn2Own serves as a stress test for the software that powers modern enterprises. The findings from pwn2own day 2 remind us that no product, no matter how well maintained, is immune to creative and determined attackers. The best defense is a disciplined approach to patching, monitoring, and security hygiene applied consistently across every layer of the technology stack.
