The second day of Pwn2Own Berlin 2026 produced 15 unique zero-day vulnerabilities across Microsoft Exchange Server, Windows 11, Red Hat Enterprise Linux, Oracle VirtualBox, and an AI inference platform, with $385,750 in prizes awarded. The standout result was DEVCORE’s Orange Tsai achieving SYSTEM-level remote code execution on fully patched Exchange Server through a three-bug chain — a $200,000 award and one of the most significant Exchange exploits demonstrated in a public competition setting.
DEVCORE’s Exchange SYSTEM RCE Chain
Orange Tsai, whose prior research produced the ProxyLogon and ProxyShell Exchange exploit chains that drove significant real-world exploitation in 2021, demonstrated a new three-vulnerability chain on Exchange Server. The chain achieves unauthenticated SYSTEM-level code execution — the highest privilege level on a Windows system — on a fully patched Exchange Server with no configuration changes from a default enterprise deployment.
Microsoft received the full technical details immediately under Pwn2Own’s coordinated disclosure rules and has 90 days to release a patch. The 90-day clock started 15 May. Given Tsai’s prior exchange research history, where ProxyLogon was exploited by Chinese and other nation-state actors within days of public disclosure, the forthcoming patch for this chain will almost certainly be rapidly analysed by threat actors once released.
The $200,000 award reflects the severity assessment: unauthenticated SYSTEM RCE on the world’s most widely deployed enterprise mail platform.
Other Day 2 Results
Red Hat Enterprise Linux LPE: Ben Koo demonstrated a use-after-free privilege escalation from a standard user to root on Red Hat Enterprise Linux for Workstations. Enterprise Linux remains a recurring Pwn2Own target, with successful LPEs demonstrating on both Day 2 and later Day 3.
Windows 11 LPE: An additional Windows 11 privilege escalation was demonstrated on Day 2, adding to Day 1’s three successful exploits. Each uses a distinct vulnerability class, indicating the Windows kernel LPE attack surface continues to yield new exploitable bugs.
LM Studio (AI Inference Platform): OtterSec achieved code injection exploitation of LM Studio, the local AI inference platform used by developers to run LLMs on-premises. This was the first AI inference product to fall at Pwn2Own, earning $20,000 and establishing AI tooling as viable Pwn2Own target category.
Oracle VirtualBox: Continuing Day 1’s VirtualBox exploitation, additional VirtualBox escapes were demonstrated, reinforcing that the hypervisor remains a practical escape target.
Assessment Implications
The Day 2 results reinforce what Day 1 established: Windows, Exchange, and enterprise hypervisors have exploitable unknown vulnerabilities that are findable by skilled researchers in a competitive setting. The Exchange SYSTEM RCE chain adds a critical data point — DEVCORE has now found multiple generations of pre-auth or low-auth Exchange RCE chains, suggesting structural issues in Exchange’s security architecture rather than isolated bugs.
Security teams should note that patches for these Pwn2Own disclosures will arrive in the coming 90 days. When each CVE is assigned and patched, the patch should be treated with the same urgency as a zero-day given that the exploit chain has been demonstrated publicly to competitors, organisers, and all who were present.
Share this article