Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1814+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Hackers Earn $1,298,250 for 47 Zero-Days at Pwn2Own Berlin
Hackers Earn $1,298,250 for 47 Zero-Days at Pwn2Own Berlin
NEWS

Hackers Earn $1,298,250 for 47 Zero-Days at Pwn2Own Berlin

Pwn2Own Berlin 2026 has concluded with security researchers earning over $1.29 million in prizes after successfully exploiting 47 zero-day vulnerabilities...

Dylan H.

News Desk

May 18, 2026
4 min read

Pwn2Own Berlin 2026 has wrapped up, with security researchers collectively earning $1,298,250 in prize money after exploiting 47 previously unknown zero-day vulnerabilities across a wide range of enterprise and consumer targets. The contest — organized by Trend Micro's Zero Day Initiative (ZDI) — ran for three days and drew top vulnerability researchers from around the world.

The Numbers

MetricValue
Total prizes awarded$1,298,250
Zero-day vulnerabilities exploited47
Contest duration3 days
LocationBerlin, Germany

The $1.29 million payout places Pwn2Own Berlin 2026 among the highest-earning contests in the event's history, reflecting both the difficulty of the targets and the skill of participating researchers.

What Was Exploited

Pwn2Own Berlin 2026 featured categories spanning enterprise platforms, browsers, virtualization, operating systems, and — in an expansion reflecting the current threat landscape — AI and machine learning products. Confirmed targets that fell during the contest include:

  • Microsoft Windows — Multiple privilege escalation and kernel-level exploits
  • VMware Workstation / ESXi — Virtualization escape vulnerabilities
  • Mozilla Firefox — Browser memory corruption leading to sandbox escape
  • Enterprise software — Including widely deployed server-side platforms
  • AI/ML products — A new category added to reflect the growing attack surface of AI tooling in enterprise environments

The inclusion of AI products as an explicit category signals ZDI's recognition that AI-integrated enterprise tools now carry significant security risk — a concern echoed by CISA and major security vendors throughout 2026.

Master of Pwn

Each successful exploit earns the competing team points toward "Master of Pwn" — the overall champion of the contest. Teams accumulate points based on the difficulty of the exploit, the number of vulnerabilities chained, and the criticality of the target. Full results including the Master of Pwn ranking were being tabulated at time of writing.

What Happens to the Bugs

All vulnerabilities demonstrated at Pwn2Own are disclosed to the affected vendors under the Zero Day Initiative's coordinated disclosure process. Vendors typically receive 90 days to issue patches before ZDI publishes the technical details publicly. This process has resulted in patches for hundreds of previously unknown zero-days over the contest's history.

For the 47 bugs demonstrated at Berlin 2026, affected vendors — including Microsoft, VMware, Mozilla, and others — now have active vulnerability reports on file and the clock is running on their 90-day disclosure windows.

Why Pwn2Own Results Matter for Security Teams

Pwn2Own is not simply a hacking competition. The vulnerabilities demonstrated at the contest represent real flaws in production software that, while unknown to attackers today, will become known once vendor patches are released. Security teams should:

  1. Watch ZDI advisories — As vendors patch vulnerabilities demonstrated at Berlin 2026, ZDI will publish advisories. Patch immediately upon release.
  2. Prioritize virtualization security — VMware escapes at Pwn2Own historically translate into real-world exploitation within months, particularly by ransomware groups targeting virtualized infrastructure.
  3. Monitor browser patching — Firefox zero-days from Pwn2Own contests have a history of rapid weaponization; treat browser patches post-Pwn2Own as emergency updates.
  4. Assess AI product exposure — If your organization uses AI/ML products in enterprise environments, evaluate whether those products appeared in the Pwn2Own target list and apply patches from those vendors as a priority.

Historical Context

Pwn2Own has been running since 2007. Berlin 2026 continues a pattern of escalating prize pools and vulnerability counts, reflecting both the maturation of the vulnerability research community and the growing complexity (and attack surface) of enterprise software stacks. The $1.29 million in prizes at Berlin surpasses several prior contests and underscores ZDI's investment in incentivizing responsible disclosure of high-impact vulnerabilities.

References

  • BleepingComputer — Hackers earn $1,298,250 for 47 zero-days at Pwn2Own Berlin 2026
  • Zero Day Initiative — Pwn2Own Berlin 2026
  • Trend Micro ZDI Advisories

Related Reading

  • Microsoft Exchange, Windows 11 Hacked on Second Day of
  • Google: 90 Zero-Days Exploited in 2025 — Enterprise Tech
  • Disgruntled Researcher Leaks BlueHammer Windows Zero-Day
#Zero-Day#Pwn2Own#Vulnerability Research#Bug Bounty#Windows#VMware

Related Articles

Microsoft Exchange, Windows 11 Hacked on Second Day of Pwn2Own

On day two of Pwn2Own Berlin 2026, competitors demonstrated 15 unique zero-day vulnerabilities and collected $385,750 in awards, successfully exploiting...

6 min read

CISA: Windows BlueHammer Flaw Now Exploited by Ransomware Gangs

CISA has confirmed that ransomware gangs are actively exploiting BlueHammer, a Microsoft Defender privilege escalation vulnerability previously used in...

4 min read

Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows

Anonymous researcher Chaotic Eclipse released a PoC exploit for a new Microsoft Defender zero-day named RoguePlanet. The race condition flaw grants SYSTEM...

5 min read
Back to all News