Microsoft Exchange, Windows 11 hacked on second day of Pwn2Own

Pwn2Own Berlin 2026 competitors demonstrated 15 previously unknown zero-day vulnerabilities across enterprise and consumer products on day two of the competition, earning $385,750 in total bounties.

Researchers successfully exploited Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux for Workstations. The vulnerabilities ranged from local privilege escalation flaws to remote code execution bugs that attackers could chain together for complete system compromise.

Pwn2Own competitions serve as controlled environments where security researchers disclose critical flaws to vendors before public disclosure. The event creates competitive pressure that accelerates real-world vulnerability discovery and exploitation development. Each zero-day demonstration provides vendors with technical details needed to patch before threats reach production environments.

Windows 11 exploits typically target kernel-level code execution or firmware-level access, giving attackers the ability to bypass security controls and persist undetected. Microsoft Exchange vulnerabilities remain high-value targets because the platform handles email infrastructure for government agencies and large enterprises. Red Hat Enterprise Linux for Workstations represents another enterprise-critical system where privilege escalation flaws can compromise sensitive infrastructure.

The $385,750 distributed across day two indicates individual vulnerabilities carried substantial bounties, reflecting their severity and exploitability. Pwn2Own organizers price vulnerabilities based on the attack complexity, privileges required, and affected user base. Critical remote code execution flaws in widely deployed systems command the highest rewards.

These demonstrations underscore a persistent reality for security teams. Zero-days continue emerging in mature, heavily audited products that organizations consider foundational. The volume and quality of exploits at Pwn2Own suggest attackers operating outside the event possess comparable or superior capabilities.

Vendors typically receive 90 days from responsible disclosure to patch confirmed vulnerabilities before public details emerge. Organizations running vulnerable versions of Windows 11, Exchange, or RH