On May 15, 2026, security researchers demonstrated multiple successful exploits during Day Two of Pwn2Own Berlin 2026, an enterprise-focused hacking competition run by the Zero Day Initiative.
What happened
The day produced $385,750 in awards for 15 unique zero-day vulnerabilities, bringing the two-day event total to $908,750 across 39 unique vulnerabilities. The results noted, “Orange Tsai (@orange_8361) of DEVCORE Research Team chained 3 bugs to achieve Remote Code Execution as SYSTEM on Microsoft Exchange, earning $200,000 and 20 Master of Pwn points.”
Other successful demonstrations included privilege escalation on Red Hat Enterprise Linux for Workstations by Ben Koo of Team DDOS, privilege escalation on Microsoft Windows 11 by Siyeon Wi, and an exploit of NVIDIA Container Toolkit by 0xDACA and Noam Trobishi. Researchers also exploited AI and developer tools, including Cursor, OpenAI Codex, LM Studio, Ollama, and LiteLLM, although some attempts involved vulnerability collisions or reduced payouts.
The bigger picture
The Microsoft Exchange exploit at Pwn2Own Berlin was a controlled demonstration against software sitting at the center of enterprise email, identity, scheduling, attachments, and internal trust. Zero Day Initiative confirmed that Orange Tsai of DEVCORE chained three bugs to achieve remote code execution as SYSTEM on Microsoft Exchange, earning $200,000. An Exchange-level weakness for a healthcare organization is a concern, as email systems often carry referrals, invoices, credentials, attachments, vendor communications, and protected health information.
Microsoft’s own 2021 Exchange disclosure shows the risk pattern clearly, as exploited Exchange flaws gave attackers access to email accounts and allowed additional malware for long-term access. An FBI and CISA joint advisory previously warned that successful Exchange exploitation can allow persistent system access and control of an enterprise network, exposing personally identifiable information and sensitive data.
Paubox’s 2025 mid-year healthcare email security report adds the bigger picture: 107 email-related healthcare breaches had already occurred in 2025, 52% involved Microsoft 365, and 79% of breached domains had ineffective DMARC protection. The contest rules require successful entries to compromise the target and demonstrate arbitrary code execution, with vulnerability details provided to the organizer after the demonstration. Pwn2Own results therefore show real weaknesses in fully patched products before public technical details or vendor fixes become available.
See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)
FAQs
What is a zero-day vulnerability?
A zero-day vulnerability is a software flaw attackers can exploit before the vendor has released a fix.
What is a patch?
A patch is a software update released to fix security flaws, bugs, or performance problems.
What is privilege escalation?
Privilege escalation happens when an attacker gains higher-level access, such as moving from a regular user account to an administrator account.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Mara Ellis
