PWN 2Own Berlin 2026, Day Two, saw researchers earn $385,750 after demonstrating 15 unique zero-days, bringing the running total to $908,750 and 39 vulnerabilities disclosed over two days, with one day remaining. Microsoft Exchange and Windows 11 were among the targets exploited, alongside Red Hat Enterprise Linux for Workstations, as fully patched systems still revealed serious vulnerabilities.
Orange Tsai of DEVCORE Research Team chained three bugs to achieve Remote Code Execution as SYSTEM on Microsoft Exchange, earning $200,000 and 20 Master of Pwn points. Siyeon Wi earned $7,500 for a Windows 11 privilege escalation flaw caused by an integer overflow, while Ben Koo of Team DDOS earned $10,000 for a Red Hat Enterprise Linux for Workstations use-after-free privilege escalation. Byung Young Yi targeted LiteLLM, earning $17,750 and 3.75 Master of Pwn points after a collision with a prior entry.
Compass Security earned $15,000 for exploiting the AI-powered code editor Cursor, underscoring ongoing risks in AI-assisted developer tools.