// #pwn2own
11 articles
The Pwn2Own 90-Day Clock: How Defenders Should Use the Patch Window Before Public Disclosure
Pwn2Own's 90-day coordinated disclosure rule gives vendors time to patch before technical details are made public. For enterprise defenders, the same 90 days is a known timeline during which the confirmed existence of specific zero-days — but not their technical details — is public. Understanding how to use that window is an underexplored aspect of enterprise vulnerability management.
After Pwn2Own Berlin 2026: A Risk Manager's Assessment of 47 Zero-Days in Enterprise Infrastructure
Pwn2Own Berlin 2026 produced 47 unique zero-day vulnerabilities across Windows 11, VMware ESXi, Exchange Server, SharePoint, Oracle VirtualBox, Red Hat Enterprise Linux, and five AI products. For enterprise risk managers and CISOs, the results require a structured response that goes beyond individual CVE patches and addresses the systemic implications.
Red Hat Enterprise Linux LPE at Pwn2Own: What the Results Mean for Enterprise Linux Patch Strategy
Red Hat Enterprise Linux was successfully exploited twice at Pwn2Own Berlin 2026 via local privilege escalation vulnerabilities. For enterprise security teams running RHEL, and the broader family of RHEL-derived distributions including CentOS Stream, Rocky Linux, and AlmaLinux, the results inform how Linux patching SLAs should be evaluated against the demonstrated threat model.
Why Exchange SYSTEM RCE Bypasses Conditional Access and MFA: The Authentication Architecture Problem
The Exchange SYSTEM RCE chain demonstrated by DEVCORE at Pwn2Own Berlin 2026 achieves code execution at the operating system level, bypassing all identity controls including Conditional Access policies, MFA requirements, and Azure AD authentication entirely. Understanding why server-side RCE renders identity controls irrelevant is essential for accurate risk assessment.
Pwn2Own Berlin 2026 Closes: DEVCORE Wins Master of Pwn with $505K and 50.5 Points — $1.3M Total Across 47 Zero-Days
Pwn2Own Berlin 2026 concluded with DEVCORE Research Team winning the Master of Pwn title with $505,000 in earnings and 50.5 points, driven by Orange Tsai's Exchange SYSTEM RCE chain and consistent results across multiple targets. The three-day competition produced 47 unique zero-day vulnerabilities across enterprise products, cloud infrastructure, and AI tools, with $1,298,250 in total prize money awarded.
Pwn2Own Demonstrates Second Distinct SharePoint RCE Chain — Five Days After Patch Tuesday Fixed CVE-2026-40365
Researchers at Pwn2Own Berlin 2026 demonstrated a multi-bug SharePoint Server remote code execution chain that is entirely distinct from CVE-2026-40365, the SharePoint RCE patched in the 12 May Patch Tuesday. The new chain, targeting SharePoint's server-side processing pipeline, has no patch and will not receive one for up to 90 days.
Windows 11 Yielded Four Independent LPE Paths at Pwn2Own Berlin — Kernel Attack Surface Analysis
By the close of Pwn2Own Berlin 2026, researchers had demonstrated four separate, independently discovered privilege escalation paths from standard user to SYSTEM on fully patched Windows 11. Each exploited a different component and vulnerability class. The results indicate the Windows kernel and user/kernel boundary remain a consistently productive attack surface for skilled researchers.
AI Coding Environments Join Pwn2Own Target List: LM Studio and OpenAI Codex Exploited via Sandbox Escapes
Pwn2Own Berlin 2026 introduced an AI products category and saw both LM Studio and OpenAI Codex exploited on the same day through sandbox escapes and environment variable injection. The results raise urgent questions about the security of AI development tools running inside enterprise environments with access to code repositories, credentials, and production pipelines.
Pwn2Own Berlin 2026 Day 2: DEVCORE Chains Three Bugs for Exchange SYSTEM RCE — 15 Zero-Days and $385K Awarded
The second day of Pwn2Own Berlin saw DEVCORE's Orange Tsai chain three previously unknown vulnerabilities to achieve SYSTEM-level remote code execution on fully patched Microsoft Exchange Server, earning $200,000. Day 2 also featured Red Hat Enterprise Linux LPE, additional Windows 11 privilege escalation, and LM Studio AI exploitation across 15 unique zero-days.
VMware ESXi Cross-Tenant Code Execution Demonstrated at Pwn2Own Berlin — $200K Prize for Single-Bug Hypervisor Escape
STARLabs SG earned $200,000 at Pwn2Own Berlin 2026 for a single vulnerability enabling cross-tenant code execution on VMware ESXi, allowing code running in one virtual machine to execute in a separate guest VM on the same hypervisor host. The bug has not been assigned a CVE and will not be publicly disclosed for up to 90 days.
Pwn2Own Berlin 2026 Day 1: Windows 11 Hacked Three Times, Edge Sandbox Escaped for $175K — 24 Zero-Days Demonstrated
The first day of Pwn2Own Berlin 2026 saw researchers demonstrate 24 previously unknown vulnerabilities across Windows 11, Microsoft Edge, VMware Workstation, and Oracle VirtualBox. Windows 11 was compromised three separate times by different teams, and a full Microsoft Edge sandbox escape earned a $175,000 award. No CVE IDs have been assigned yet as vendors begin the 90-day remediation process.
Commentary tagged #pwn2own
The 90-Day Patch Clock Is a Threat Actor Countdown Timer — We Should Use It That Way
Pwn2Own's 90-day coordinated disclosure window is designed to give vendors time to patch. But for enterprise defenders, it is also a confirmed, public notice that specific classes of zero-day vulnerability exist in named products. Most organisations wait for the patch to act. The ones that prepare during the 90-day window have a meaningful advantage.
CipherWatch Editorial
Security Intelligence Platform
Hypervisor Escapes Should Change How Enterprise Architects Design Isolation — They Rarely Do
VMware ESXi cross-tenant code execution at Pwn2Own Berlin 2026 demonstrates again that virtualisation is not a security boundary. Yet enterprise architecture continues to treat hypervisor isolation as equivalent to physical isolation. The security implication of this assumption has been known for years and consistently under-acted upon.
CipherWatch Editorial
Security Intelligence Platform
AI at Pwn2Own Is an Admission: These Tools Were Never Secure
The addition of an AI products category at Pwn2Own Berlin 2026 — and its immediate success with five exploits across three vendors — is not evidence that AI tools are newly insecure. It is evidence that the security industry has finally started looking. The results are a lagging indicator of what has been deployed in enterprise environments for the past two years.
CipherWatch Editorial
Security Intelligence Platform
Pwn2Own Proves the Software Is Breakable. Enterprise Patching Pretends It Isn't.
Pwn2Own Berlin Day 1 saw Windows 11 compromised three separate times, Edge's sandbox escaped, and two hypervisors defeated. Vendors will patch the reported bugs within 90 days. The enterprise response to Pwn2Own results is almost universally: nothing. We treat demonstrated zero-days as vendor problems until they become CVEs, and we treat CVEs as patch management problems until they become incidents.
CipherWatch Editorial
Security Intelligence Platform