Researchers at the Pwn2Own Berlin 2026 hacking contest successfully compromised multiple fully patched high-value targets, including Microsoft Exchange, Microsoft Edge, Windows 11, Red Hat Enterprise Linux, and Nvidia AI tooling. The event, held this week at the OffensiveCon security conference in Berlin, once again exposed the fragility of even the most current software against determined and well-funded adversaries.

Organized by the Zero Day Initiative (ZDI), Pwn2Own is a global series of hacking competitions that challenge security experts to uncover zero-day vulnerabilities in widely used software. Successful exploits earn contestants cash rewards and the vulnerabilities are immediately disclosed to the affected vendors, who must patch them within a strict 90-day window before public disclosure. This Berlin edition marked the first time that AI developer tools were included as a target category, reflecting the industry’s growing concerns over machine learning supply chain vulnerabilities.

The Pwn2Own Contest Format

Pwn2Own Berlin operates under a time-boxed, live-attack format. Teams or individuals register in advance for specific targets and must demonstrate a working exploit chain in front of judges within a limited timeframe—typically 20 minutes. Successful compromises require a combination of technical skill, creativity, and luck, as the environments are fully patched with default configurations. Bonus prizes are awarded for evading mitigations such as sandbox escapes or kernel privilege escalation.

This year’s contest featured six distinct categories: web browsers, operating systems, enterprise software, virtualization, cloud platforms, and AI developer tools. Targets ranged from the ubiquitous Microsoft Office components to brand-new entrants like Nvidia’s CUDA toolkit and containerized AI workloads. Payouts exceeded $1 million in total, with the highest single reward reaching $200,000 for a complete exploit chain against Microsoft Exchange.

Microsoft Exchange Falls to Remote Code Execution

Once again, Microsoft Exchange proved to be a prime target. An attacker demonstrated a pre-authenticated remote code execution flaw that bypassed all existing patches. The exploit did not require any user interaction and worked against the default configuration of Exchange Server 2019 and 2026 (the latest on-premises release). While the technical specifics remain under embargo, the attack vector likely involved deserialization of untrusted data or a flaw in the HTTP protocol handler—two historically prolific vulnerabilities in Exchange.

The ZDI confirmed that the exploit exploited two distinct bugs: one for initial code execution and a second for elevation from Network Service to SYSTEM. This chaining lifted the prize to $200,000, making it the most lucrative demonstration of the contest. Microsoft has acknowledged the submission and is developing an out-of-band patch; historically, such Exchange vulnerabilities have been weaponized by nation-state actors within days of disclosure, putting immense pressure on security teams to apply the fix immediately.

Edge Browser Exploit with Sandbox Escape

Microsoft Edge, built on the Chromium engine, has become a hardened target thanks to its effective sandboxing and Enhanced Security Mode. Yet a competitor managed to escape the sandbox and execute arbitrary code in the context of the renderer process. The attack required the victim to visit a malicious website, but no further interaction—a classic one-click riddle.

The researcher exploited a type confusion bug in the JavaScript engine combined with a logic error in the browser’s inter-process communication (IPC) mechanism to break out of the sandbox. The sandbox escape alone earned a $60,000 prize. The bug bounty community will eagerly await the patch notes; such browser exploits are often leveraged in watering-hole attacks against corporate executives and journalists.

Windows 11 Privilege Escalation

Windows 11, Microsoft’s flagship operating system with enhanced security features like HVCI and memory integrity, didn’t escape unscathed. A local privilege escalation was demonstrated, allowing an attacker to go from a standard user account to SYSTEM privileges. The exploit targeted the Windows kernel driver for the NTFS file system, exploiting a race condition during file handle management.

Local privilege escalations are critical in post-exploitation scenarios, allowing attackers to disable security products, install persistent backdoors, and move laterally across an enterprise network. The Windows 11 exploit was particularly notable because it bypassed the Kernel Control Flow Guard (CFG) and could not be prevented by existing virtualized-based security features. Patches for this flaw are expected in the upcoming Patch Tuesday; in the interim, the ZDI advised administrators to enforce strict least-privilege access and monitor for anomalous file system operations.

Linux and Nvidia Tooling Under Fire

Red Hat Enterprise Linux 9.4 (RHEL) was compromised through a vulnerability in the CUPS printing system, a recurring theme from past contests. The researcher crafted a malicious printer description file that, when processed by CUPS, executed arbitrary code with root privileges. The attack required local network access to a vulnerable printer service. RHEL’s maintainers have been notified and an update is in the works.

Nvidia’s AI tooling also fell victim. A remote code execution flaw was found in the Nvidia Container Toolkit, which is widely used to manage GPU-accelerated containers for AI workloads. The exploit allowed a container escape, meaning an attacker could break out of a containerized AI development environment and access the host system. With the booming adoption of containerized AI training and inference pipelines, this vulnerability poses a significant risk to data centers and cloud providers. Nvidia confirmed the report and assigned it a CVSS score of 9.8, reflecting its criticality.

AI Developer Tools: A New Frontier

The inclusion of AI developer tools as a standalone category underscores the expanding attack surface of the AI ecosystem. Researchers targeted popular machine learning frameworks, including TensorFlow and PyTorch, along with infrastructure tools like MLflow and Kubeflow. One successful exploit involved a deserialization flaw in MLflow’s artifact handling, leading to remote code execution. Another team demonstrated a container escape via a misconfiguration in a Kubernetes pod running a popular large language model (LLM) inference server.

Perhaps most eye-opening was an attack against a hypothetical CI/CD pipeline for LLMs. By poisoning a publicly available model weight file, the attacker could inject a backdoor during fine-tuning, causing the model to output predetermined tokens when triggered by a specific phrase. While the demonstration was against a simulated environment, it highlights the real-world threat of model supply chain attacks—a risk that many organizations are only beginning to appreciate.

Responsible Disclosure and Patch Timelines

All winning exploits are immediately disclosed to the respective vendors under ZDI’s coordinated vulnerability disclosure policy. Vendors have 90 days to produce a fix; if they fail to do so, ZDI may publicly disclose limited technical details to urge users toward mitigations. In past contests, Microsoft and Red Hat have been among the fastest to respond, often releasing patches within 30–60 days. However, Exchange vulnerabilities—given their history—may receive an out-of-band patch within two weeks.

The pressure is immense. Exploits disclosed through Pwn2Own are considered “zero-day” for the duration of the patch gap. During this window, organizations are advised to implement workarounds such as disabling unnecessary features, applying host-based intrusion prevention rules, and closely monitoring logs for indicators of compromise. For the Exchange bug, ZDI recommended enabling Extended Protection and removing external access until a patch is available, though these mitigations may not fully protect against the chained exploit.

Implications for Enterprise Security

Pwn2Own Berlin 2026 delivers a sobering message to IT decision-makers: even fully patched, best-practice-configured systems from the world’s largest software vendors can be compromised by skilled adversaries. The chained exploits against Exchange and Windows 11 in particular underscore how layered attacks—remote code entry followed by local privilege escalation—can dismantle defenses that are often assumed to be impermeable.

For enterprise security teams, the event reinforces the principle of defense in depth. No single tool, patch, or configuration should be considered a silver bullet. Continuous red teaming, strict access controls, network segmentation, and robust incident response capabilities are essential. Moreover, the rising threat to AI pipelines demands that organizations extend traditional security practices to their data science infrastructure: model registries, training datasets, and container orchestration platforms must be treated as critical production assets.

Looking Ahead

The 2026 Berlin edition of Pwn2Own once again demonstrated the critical role that security research plays in hardening global software. The discovered vulnerabilities will soon be patched, making the digital ecosystem safer for all. Yet the cat-and-mouse game continues. As defenders adapt, so too do attackers—shifting their focus to new frontiers like AI supply chains, cloud-native tooling, and ubiquitous IoT devices.

The ZDI has already announced the next Pwn2Own event in Toronto for October 2026, with an expanded lineup that will include consumer-grade routers and smart home hubs. For enterprise security teams, the lesson is clear: assume breach, validate often, and never stop patching. The full technical details and whitepapers for this Berlin event will be published on the ZDI blog after the embargo period, typically coinciding with vendor patch releases.