Pwn2Own Berlin 2025: the most surprising hacks and record prizes for advanced IT security

The Pwn2Own Berlin 2025 hacking competition, hosted as part of OffensiveCon from May 15 to 17, 2025, kicked off with spectacular results. In just the first day, notable exploits were made on some of the most widely used platforms in the IT and business world, such as Windows 11, Red Hat Enterprise Linux, and Oracle VirtualBox, with a prize pool of $260,000 distributed. Participating hackers highlighted zero-day vulnerabilities that allow privilege elevation and unauthorized access to sensitive data, confirming the critical need to continually strengthen the security of the most popular systems.

Red Hat Linux successes, reduced rewards for known bugs

The DEVCORE team, with expert Pumpkin, kicked things off by demonstrating an exploit on Red Hat Linux using an integer overflow to gain local administrative privileges, earning them a $20,000 prize. In parallel, Hyunwoo Kim and Wongi Lee of Theori gained root access by combining a use-after-free vulnerability with an information leak, but since one of the bugs was already known (N-day), the prize was reduced to $15,000. These exploits highlight how weaknesses in Linux system components can compromise even robust enterprise environments, something that should be carefully considered by those involved in security and system integration.

Three new exploits penetrate Windows 11 and Oracle VirtualBox vulnerable

Windows 11 suffered three separate attacks: Chen Le Qi of STARLabs SG combined a use-after-free exploit with an integer overflow to escalate to SYSTEM privileges, earning a $30,000 bounty. Marcin Wiązowski earned the same amount for an out-of-bounds write exploit, while Hyeonjin Choi earned $15,000 for an exploit based on a type confusion bug. Oracle VirtualBox was no exception: the Prison Break group demonstrated an integer overflow attack that bypassed the sandbox and executed code on the host, earning a $40,000 bounty. These results highlight the importance of integrating advanced control and mitigation mechanisms, especially in modern virtualization and operating systems.

AI innovations, record prizes and future challenges in IT security

The new category dedicated to artificial intelligence is innovative: Sina Kheirkhah of the Summoning team established himself as the first historic winner by exploiting a flaw in the Chroma platform, with a prize of 20,000 dollars. Later, he also demonstrated an exploit on NVIDIA Triton Inference Server, but due to already known bugs the compensation was reduced to 15,000 dollars. Closing the first day, STARLabs SG won the richest prize of 60,000 dollars, thanks to a use-after-free in the Linux kernel that allowed the escape from Docker Desktop and the execution of code on the host. With over a million up for grabs and the involvement of critical technologies such as containers, AI, virtualization and even automotive, the competition continues with challenges on SharePoint, VMware ESXi and Firefox, while targets such as Tesla remain unexplored, offering essential insights for those working in the integration and management of complex systems in the enterprise.