Pwn2Own Berlin 2026 Day 2: Exchange, Windows 11, and RHEL Compromised
The second day of Pwn2Own Berlin 2026 delivered another impressive haul of zero-day vulnerabilities, with competing security researchers collectively demonstrating 15 unique zero-day exploits and walking away with $385,750 in cash prizes. High-profile targets including Microsoft Exchange, Windows 11, and Red Hat Enterprise Linux for Workstations all fell to researchers during the day's competition.
Pwn2Own, organized by Trend Micro's Zero Day Initiative (ZDI), is one of the premier hacking competitions in cybersecurity. The Berlin edition draws elite vulnerability researchers from around the world, with vendors receiving coordinated disclosure of all demonstrated vulnerabilities within 90 days of the competition.
Day 2 Results Summary
| Target | Vulnerability Type | Status | Prize |
|---|---|---|---|
| Microsoft Exchange | Remote Code Execution | Pwned | High-value |
| Windows 11 | Privilege Escalation | Pwned | High-value |
| Red Hat Enterprise Linux (Workstations) | Kernel exploit (0-day) | Pwned | High-value |
| Multiple additional targets | Various | Pwned | Distributed |
Day 2 totals: 15 unique zero-days demonstrated, $385,750 awarded to researchers.
Microsoft Exchange Compromised via RCE
One of the headline achievements on day two was the successful exploitation of Microsoft Exchange via a remote code execution zero-day. Exchange is a perennially high-value target at Pwn2Own due to its widespread deployment in enterprise environments and the significant impact a successful RCE vulnerability represents.
The successful Exchange exploit demonstrated on day two involved a chained attack combining multiple vulnerabilities to achieve code execution on the Exchange server. As with all Pwn2Own results, full technical details are withheld under responsible disclosure — Microsoft has 90 days to develop and release a patch before ZDI publishes a full advisory.
Exchange vulnerabilities are of particular concern to the cybersecurity community given the platform's history of high-impact flaws (including ProxyLogon, ProxyShell, and ProxyNotShell) and the sensitive data — emails, calendar data, contacts — it hosts for enterprise users.
Windows 11 Privilege Escalation
Windows 11 was also successfully exploited, with researchers demonstrating a privilege escalation zero-day that allows an attacker with a limited user account to elevate to SYSTEM-level privileges. This class of vulnerability is frequently used as the second stage in attack chains: an initial foothold via phishing or another vector is combined with a local privilege escalation to achieve full machine control.
Multiple teams targeted Windows 11 during day two, reflecting the continued interest from the research community in Microsoft's flagship operating system as a high-reward target.
Red Hat Enterprise Linux Falls to Kernel Exploit
Red Hat Enterprise Linux (RHEL) for Workstations was added to the growing list of compromised targets, with a researcher demonstrating a kernel-level exploit that achieves privilege escalation on the platform. Linux kernel vulnerabilities demonstrated at Pwn2Own represent a significant class of finding, given the platform's dominance in server and enterprise workstation environments.
Running Pwn2Own Berlin 2026 Scoreboard
With day two's results added to day one's findings, Pwn2Own Berlin 2026 is shaping up to be one of the most prolific editions of the competition in recent years. The cumulative prize pool and zero-day count reflect both the sophistication of participating researchers and the continued presence of exploitable vulnerabilities in widely deployed enterprise software.
Key observations from the competition so far:
- Microsoft products remain heavily targeted — Exchange and Windows are perennial high-value targets given their enterprise prevalence and the significant bounties they command
- Linux kernel security continues to attract serious research focus, reflecting the platform's growing importance as a server and cloud workstation target
- Chained exploits dominate the competition — the most sophisticated entries combine multiple vulnerabilities in sequence to achieve impact greater than any single bug would allow
- 90-day disclosure timeline means affected vendors have until mid-August 2026 to patch all demonstrated vulnerabilities before public technical details are released
What Happens After Pwn2Own
The Zero Day Initiative's responsible disclosure process ensures that Pwn2Own results benefit the broader security ecosystem:
- Immediate notification: Vendors are notified of all demonstrated vulnerabilities within hours of the competition
- 90-day patch window: Vendors have 90 days to develop and release patches
- ZDI advisory publication: After the patch window, ZDI publishes full technical advisories regardless of whether a patch was released
- Patch Tuesday inclusion: Microsoft typically includes patches for Pwn2Own-discovered vulnerabilities in their regular Patch Tuesday releases
Organizations running Microsoft Exchange or Windows 11 should monitor the upcoming Patch Tuesday releases — June and July 2026 — for security updates addressing Pwn2Own-discovered vulnerabilities, and prioritize deployment when they become available.
Historical Context
Pwn2Own has served as a leading indicator of vulnerability research directions and attack surface complexity since its inaugural edition in 2007. Notable past achievements include:
- The first demonstrated iPhone exploit (2007)
- Multiple browser zero-days that prompted rapid vendor patches
- VMware hypervisor escapes demonstrating virtualization security risks
- Industrial control system exploits highlighting OT/ICS security gaps
The competition's structure — requiring live demonstrations against fully patched, default-configured targets — ensures that demonstrated vulnerabilities represent genuine, practically exploitable security issues rather than theoretical attack vectors.
Recommendations for Enterprise Defenders
While Pwn2Own vulnerabilities are covered by responsible disclosure and not immediately weaponizable by attackers, organizations should:
- Prioritize patching Microsoft Exchange when the June/July 2026 Patch Tuesday releases address Pwn2Own findings
- Review Windows 11 privilege escalation mitigations — ensure endpoint detection and response (EDR) solutions are configured to alert on privilege escalation patterns
- Monitor ZDI advisories for technical details once the 90-day disclosure window closes
- Test patch deployment pipelines now, so security updates for these high-severity findings can be applied rapidly when released
- Subscribe to vendor security advisories for Microsoft and Red Hat to receive patch notifications immediately upon release
Key Takeaways
- Pwn2Own Berlin 2026 Day 2 saw 15 zero-days demonstrated and $385,750 in prizes awarded
- Microsoft Exchange was successfully exploited via a chained RCE zero-day — patches expected within 90 days
- Windows 11 fell to a privilege escalation zero-day — expect a Patch Tuesday fix in the coming weeks
- Red Hat Enterprise Linux (Workstations) was also exploited via a kernel-level vulnerability
- Responsible disclosure ensures vendors have 90 days to patch — monitor June/July 2026 Patch Tuesday for Exchange and Windows fixes