Skip to main content
CybersecurityVulnerability Management

Security Researchers Uncover 47 Zero-Days at Pwn2Own Berlin

Security researchers gather around a large screen displaying code in a modern conference setting, symbolizing the discovery…

Forty-seven previously unknown vulnerabilities were demonstrated and rewarded at Pwn2Own Berlin, with security researchers collecting nearly $1.3 million across a three‑day competition held May 14–16.

Prizes, winners and the Devcore sweep

The event, sponsored by TrendAI’s Zero Day Initiative (ZDI), awarded close to $1.3m in total prize money. The Devcore Research Team emerged as the most lucrative competitor, claiming $505,000 in prize money. Individual headline payouts included $200,000 awarded to Nguyen Hoang Thach of STARLabs SG for a memory corruption exploit against VMware ESXi (with the cross‑tenant code execution add‑on), $100,000 to “splitline” of Devcore for a chained pair of bugs in Microsoft SharePoint, and two $200,000 awards to Devcore’s Orange Tsai for chained bugs achieving remote code execution as SYSTEM on Microsoft Exchange and other high‑value work. Orange Tsai also earned $175,000 for chaining four logic bugs to escape the Microsoft Edge sandbox.

Enterprise and AI targets: what teams attacked

This edition of the long‑running contest emphasized enterprise deployments and artificial intelligence tooling. Organizers listed AI databases — Chroma, Postgres pgvector and Oracle Autonomous AI Database — among targeted products. For the first time, coding agents were included as explicit targets: Cursor, Claude Code and OpenAI Codex were part of the challenge set. ZDI additionally noted the presence of numerous LLM projects including Ollama, LiteLLM, LM Studio and Llama.cpp.

Coding agents, attack surface and the rules of engagement

Organizers framed coding agents as a core focus. Dustin Childs, ZDI head of threat awareness, drew attention to developer habits and the security of the tools that enable them: “At some point or another, we’ve probably all vibe coded something. There’s no shame in that, but how secure are the tools we use for vibe coding?” The contest required that successful entries interact with a contestant‑controlled resource — “e.g. web page, repository, media file” — and that the attack vector reflect a common coding agent use case. That constraint directed teams toward realistic, developer‑facing exploitation scenarios rather than artificial demonstrations.

NVIDIA and local inference: hardware and containers on the table

Competitors also tested NVIDIA‑adjacent technology. The organizers listed attempts against Megatron Bridge, the NV Container Toolkit, and Dynamo offerings. Local inference and on‑premise AI stacks were explicitly in scope, aligning the event’s enterprise emphasis with the reality that organizations increasingly run AI workloads inside their own environments.

What this means for technologists, affected enterprises, and AI tool builders

  • Technologists and security teams: ZDI’s 90‑day disclosure window gives these teams a concrete timeline in which newly reported bugs will be incorporated into vendor updates or publicly disclosed by ZDI if patches are not released.
  • Affected enterprises and procurement leaders: the competition’s focus on AI databases, coding agents and NVIDIA components signals which product classes were tested at scale; procurement teams should expect disclosures tied to those classes and plan patch and mitigation timelines accordingly.
  • AI tool builders and vendor teams: products named as targets — from Chroma and Postgres pgvector to coding agents like Cursor, Claude Code and OpenAI Codex — were evaluated under real‑world interaction constraints. Vendors will have the 90‑day period to remediate issues before public disclosure, and those timelines will determine when fixes must reach customers.

All newly discovered vulnerabilities will be responsibly disclosed to vendors so they can be built into security updates; vendors have 90 days to release security patches before ZDI makes public disclosures. The practical result is a steady cadence of fixes and advisories tied to the competition’s findings: high‑value payouts rewarded demonstrated exploits, and the rules pushed researchers toward attack methods that mirror real operational use cases.

Pwn2Own Berlin combined high dollar incentives with a focused attack surface — enterprise AI, coding agents, local inference stacks and select vendor tooling — and the results will translate into a set of vendor disclosures and, ultimately, patches to watch for over the coming weeks and months. How quickly vendors respond within the 90‑day disclosure window will determine when those mitigations reach users and fleets.

Original story: https://www.infosecurity-magazine.com/news/security-researchers-47-zerodays/