Windows 11 and Red Hat Linux Exploited on Opening Day of Pwn2Own Conference

On the inaugural day of Pwn2Own Berlin 2025, security researchers successfully showcased zero-day exploits targeting Windows 11, Red Hat Linux, and Oracle VirtualBox, earning a total of $260,000 in bounties.

Red Hat Enterprise Linux for Workstations was the first platform compromised, as the DEVCORE Research Team’s Pumpkin exploited an integer overflow vulnerability, securing a $20,000 reward. Subsequently, researchers Hyunwoo Kim and Wongi Lee also gained root access on a Red Hat Linux device by chaining a use-after-free exploit with an information leak, although one of their vulnerabilities was classified as an N-day, which resulted in a collision of bugs.

Following this, Chen Le Qi from STARLabs SG garnered $30,000 for an exploit chain that effectively combined a use-after-free situation with an integer overflow to escalate privileges to SYSTEM on a Windows 11 machine. Windows 11 was compromised two more times, with Marcin Wiązowski exploiting an out-of-bounds write vulnerability and Hyeonjin Choi demonstrating a type confusion zero-day for SYSTEM access.

Moreover, Team Prison Break received $40,000 for a chained exploit that utilized an integer overflow to escape the confines of Oracle VirtualBox, allowing them to execute code on the host operating system. Sina Kheirkhah from Summoning Team also made significant strides, earning $35,000 by leveraging a Chroma zero-day as well as an already known vulnerability within Nvidia’s Triton Inference Server. Additionally, STARLabs SG members Billy and Ramdhan claimed $60,000 for successfully escaping Docker Desktop and executing code on the underlying operating system via a use-after-free zero-day.

The hacking competition, Pwn2Own Berlin 2025, centers on enterprise technologies and introduces a category dedicated to artificial intelligence. It runs from May 15 to May 17, coinciding with the OffensiveCon conference.

During the second day, participants are expected to target zero-day vulnerabilities in various systems, including Microsoft SharePoint, VMware ESXi, Mozilla Firefox, Red Hat Enterprise Linux for Workstations, and Oracle VirtualBox.

Post-demonstration, vendors are afforded a 90-day window to rectify the disclosed zero-day vulnerabilities in their software and hardware products. Contestants will be targeting fully patched products across several categories, including AI, web browsers, virtualization, local privilege escalation, servers, enterprise applications, cloud-native/container solutions, and automotive systems, with a total prize pool exceeding $1,000,000.

Despite the presence of the 2024 Tesla Model 3 and the 2025 Tesla Model Y as potential targets, no attempts were recorded prior to the competition’s commencement.