Hackers Exploit VMware ESXi, Microsoft SharePoint Zero-Days at Pwn2Own
The second day of the highly anticipated Pwn2Own Berlin 2025 hacking competition has come to a close, with competitors earning a total of $435,000 for exploiting zero-day bugs in multiple products. The highlight of the day was a successful attempt from Nguyen Hoang Thach of STARLabs SG against the VMware ESXi, which earned him a staggering $150,000 for an integer overflow exploit.
Multiple Zero-Days Exploited Across Various Products
In addition to the VMware ESXi exploit, other competitors also made headlines by exploiting zero-day bugs in Microsoft SharePoint, Oracle VirtualBox, Red Hat Enterprise Linux, and Mozilla Firefox. Dinh Ho Anh Khoa of Viettel Cyber Security earned $100,000 for hacking Microsoft SharePoint using an exploit chain that combined an authentication bypass and an insecure deserialization flaw.
Out-of-Bounds Write Exploits and Use-after-Free Bugs
Gerrard Tai of STAR Labs SG demonstrated an out-of-bounds write zero-day in Mozilla Firefox, while Viettel Cyber Security used another out-of-bounds write to exploit Oracle VirtualBox guest-to-host escape. Meanwhile, Edouard Bochin and Tao Yan of Palo Alto Networks also showcased an out-of-bounds write zero-day in Mozilla Firefox.
AI Category Makes Debut at Pwn2Own Berlin 2025
The Pwn2Own Berlin 2025 competition also introduced an AI category for the first time, with Wiz Research security researchers using a use-after-free zero-day to exploit Redis and Qrious Secure chained four security flaws to hack Nvidia's Triton Inference Server.
Competitors Earning Big Bucks
On the first day of the contest, competitors earned $260,000 after successfully exploiting zero-day vulnerabilities in Windows 11, Red Hat Linux, and Oracle VirtualBox. This brings the total earnings over the first two days to a whopping $695,000.
Pwn2Own Berlin 2025: A Focused Contest on Enterprise Technologies
The Pwn2Own Berlin 2025 hacking competition focuses specifically on enterprise technologies, with a prize pool of over $1 million for demonstrating zero-day bugs in fully patched products. The competition takes place during the OffensiveCon conference between May 15 and May 17.
Security Researchers Earning Big Rewards
Security researchers will be able to earn significant rewards for demonstrating zero-day bugs in various categories, including AI, web browser, virtualization, local privilege escalation, servers, enterprise applications, cloud-native/container, and automotive. However, no Tesla attempts were registered before Pwn2Own started, despite two 2025 Tesla Model Y and 2024 Tesla Model 3 bench-top units being made available as targets.
Upcoming Exploits and Disclosures
On the last day of the contest, hackers will attempt to exploit zero-day bugs in Windows 11, Oracle VirtualBox, VMware ESXi, VMware Workstation, Mozilla Firefox, as well as Nvidia's Triton Inference Server and Container Toolkit. After zero-day exploits are disclosed during the Pwn2Own contest, vendors have 90 days to release security fixes for their software and hardware products before Trend Micro's Zero Day Initiative publishes technical details.
Defending Against Zero-Day Exploits
The Pwn2Own Berlin 2025 competition provides valuable insights into zero-day exploits and how to defend against them. In a recent analysis, it was found that top 10 MITRE ATT&CK techniques behind 93% of attacks. By understanding these techniques and implementing effective security measures, organizations can reduce the risk of falling victim to zero-day exploits.