The first day of Pwn2Own Berlin 2025 saw security researchers unleash a barrage of devastating exploits on Windows 11, Red Hat Linux, and Oracle VirtualBox. The competition, which focuses on enterprise technologies and introduces an AI category, aims to identify and exploit zero-day vulnerabilities in various software products.

The first to fall victim to the attacks was Red Hat Enterprise Linux for Workstations, which was compromised by DEVCORE Research Team's Pumpkin. The researchers successfully exploited a local privilege escalation vulnerability, earning $20,000 in the process. This marked the beginning of a chaotic day, as other teams soon followed suit.

Hyunwoo Kim and Wongi Lee of Team Red Hat took turns demonstrating exploits on Red Hat Linux devices. They successfully chained a use-after-free vulnerability with an information leak to gain root access on a device. However, one of the exploited flaws was an N-day vulnerability, which led to a bug collision. Despite this setback, they still managed to earn $15,000 for their efforts.

Meanwhile, Chen Le Qi of STARLabs SG demonstrated an exploit chain combining a use-after-free and integer overflow vulnerabilities to escalate privileges to SYSTEM on a Windows 11 system. This earned him $30,000 in the competition.

Windows 11 was hacked not once, but twice more by Marcin Wiązowski and Hyeonjin Choi. The first exploit used an out-of-bounds write vulnerability to gain SYSTEM privileges. The second demonstrated a type confusion zero-day, which also allowed the attackers to reach SYSTEM level.

Team Prison Break earned $40,000 after demoing an exploit chain that used an integer overflow to escape Oracle VirtualBox and execute code on the underlying operating system.

STARLabs SG's Billy and Ramdhan took part in a Chroma zero-day demonstration and an already known vulnerability in Nvidia's Triton Inference Server. Their efforts earned them $35,000 each.

Meanwhile, another team from STARLabs SG, consisting of Billy and Ramdhan, escaped Docker Desktop and executed code on the underlying OS using a use-after-free zero-day. This impressive feat earned them $60,000.

The Pwn2Own Berlin 2025 competition will continue with security researchers targeting fully patched products in various categories, including Microsoft SharePoint, VMware ESXi, Mozilla Firefox, and Oracle VirtualBox. The contestants will earn cash and prizes over $1,000,000.

**When:** May 15-17, 2025

**Where:** Berlin, Germany (at the OffensiveCon conference)

**What to Expect:**

* Security researchers competing to exploit zero-day vulnerabilities in enterprise technologies * Demonstrations of exploits in AI, web browser, virtualization, local privilege escalation, servers, enterprise applications, cloud-native/container, and automotive categories * Earn cash and prizes over $1,000,000

**Prizes:**

* Red Hat Enterprise Linux for Workstations: $20,000 (Pumpkin) * Red Hat Linux: $15,000 (Hyunwoo Kim and Wongi Lee) * Windows 11: $30,000 (Chen Le Qi) + $50,000 (Marcin Wiązowski) + $30,000 (Hyeonjin Choi) * Oracle VirtualBox: $40,000 (Team Prison Break)

Stay tuned for more updates on Pwn2Own Berlin 2025!

HACKER_BLOG

WINDOWS 11 AND RED HAT LINUX HACKED ON FIRST DAY OF PWN2OWN