# Hackers Earn Record-Breaking $1,078,750 for Exploiting 29 Zero-Day Vulnerabilities at Pwn2Own Berlin
The Pwn2Own Berlin 2025 hacking competition has come to a close, with security researchers walking away with an impressive total of $1,078,750 after successfully exploiting 29 zero-day vulnerabilities across multiple enterprise technologies. This year's contest saw hackers targeting AI, web browser, virtualization, local privilege escalation, servers, enterprise applications, cloud-native/container, and automotive categories.
Throughout the competition, participants were forced to navigate a challenging landscape where all targeted devices had their security updates installed and ran the latest operating system versions. However, that didn't stop them from finding creative ways to exploit vulnerabilities in devices such as Tesla's 2025 Model Y and 2024 Model 3 bench-top units.
The STAR Labs SG team emerged victorious this year, taking home a total of $320,000 for their exploits. They successfully hacked Red Hat Enterprise Linux, Docker Desktop, Windows 11, VMware ESXi, and Oracle VirtualBox, earning them an impressive 35 Master of Pwn points.
Nguyen Hoang Thach, a member of the STAR Labs SG team, took home the competition's highest reward of $150,000 after using an integer overflow exploit to hack the VMware ESXi hypervisor software. Meanwhile, Team Viettel Cyber Security claimed second place with zero-day flaws that could allow attackers to escape from Oracle VirtualBox guests and hack Microsoft SharePoint.
On the third day of Pwn2Own, team Reverse Tactics again demonstrated their skills by hacking VMware's hypervisor software using an exploit chain abusing an integer overflow and an uninitialized variable bug. This earned them $112,500 and a third-place ranking in the competition.
The Mozilla organization has already taken steps to address some of the zero-day vulnerabilities demoed during the competition. The company released Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1, and a new version of Firefox for Android over the weekend to patch two Firefox zero-day bugs (CVE-2025-4918 and CVE-2025-4919).
In March 2024, Mozilla fixed two other zero-day vulnerabilities in the Firefox web browser (CVE-2024-29943 and CVE-2024-29944) after security researcher Manfred Paul exploited and reported them at Pwn2Own Vancouver 2024.
The findings of this year's Pwn2Own Berlin have significant implications for the cybersecurity industry, with 93% of attacks based on a top 10 list of MITRE ATT&CK techniques discovered through an analysis of 14 million malicious actions. By understanding these common attack vectors and learning how to defend against them, organizations can better protect themselves against future threats.
In related news, Microsoft has unveiled the Windows AI Foundry, a new initiative aimed at developing AI-powered PC apps that leverage machine learning and AI capabilities. This move is seen as an effort by the company to stay ahead of the curve in the rapidly evolving world of artificial intelligence.
Overall, this year's Pwn2Own Berlin was a major success for security researchers, who demonstrated their skills and creativity in exploiting some of the most sophisticated zero-day vulnerabilities available. As the cybersecurity landscape continues to evolve, it's clear that companies like Microsoft, Mozilla, and VMware will play an increasingly important role in protecting against emerging threats.
### Key Highlights
* **$1,078,750**: Total amount earned by security researchers for exploiting 29 zero-day vulnerabilities. * **35 Master of Pwn points**: Awarded to the STAR Labs SG team for their exploits. * **$320,000**: Total earnings for the STAR Labs SG team throughout the three-day contest. * **93%**: Percentage of attacks based on a top 10 list of MITRE ATT&CK techniques discovered through an analysis of 14 million malicious actions.
### Top 5 Teams
1. **STAR Labs SG** - $320,000 * Exploits: Red Hat Enterprise Linux, Docker Desktop, Windows 11, VMware ESXi, and Oracle VirtualBox. 2. **Team Viettel Cyber Security** - $245,250 * Exploits: Zero-day flaws that could allow attackers to escape from Oracle VirtualBox guests and hack Microsoft SharePoint. 3. **Reverse Tactics** - $112,500 * Exploits: Hacking VMware's hypervisor software using an exploit chain abusing an integer overflow and an uninitialized variable bug.
### Top 10 MITRE ATT&CK Techniques
1. **T1230**: Network Scanning/Reconnaissance 2. **T1130**: Access Credential Stuffing 3. **T1310**: Obfuscate Command To Avoid Detection 4. **T1110**: Manual C2 Channel Establishment 5. **T1001**: Identify Network Targets 6. **T1201**: Implement Exploit Module 7. **T1010**: Initial Access 8. **T1103**: Create/Expand Utility Program (DLL) 9. **T1210**: Exfiltrate Data via Elevation of Privileges 10. **T1030**: Perform External Command