Cybercriminals Generate $1,078,750 Through Exploitation of 28 Zero-Day Vulnerabilities at Pwn2Own Berlin

Publish date: 19.05.2025

Blog

19.05.2025

The Pwn2Own Berlin 2025 hacking competition has successfully concluded, with security researchers collectively earning $1,078,750 by exploiting 29 zero-day vulnerabilities, despite some instances of bug collisions.

The competition focused on enterprise technologies encompassing a wide range of categories including artificial intelligence, web browsers, virtualization, local privilege escalation, servers, enterprise applications, cloud-native/container environments, and the automotive sector. All targeted devices utilized the latest operating systems with all security updates applied, adhering to the stringent competition guidelines.

While two Tesla Model Y and Model 3 units were provided by Tesla for this event, no participants registered any attempts in this category prior to the commencement of the competition.

In total, competitors earned $260,000 in cash awards on the first day, followed by an additional $435,000 on the second day as they exploited 20 zero-day vulnerabilities. By the conclusion of the third day, they secured another $383,750 for eight more vulnerabilities.

Participants are required to present their findings during the event, after which vendors are allotted a 90-day window to implement security updates before the vulnerabilities are disclosed publicly by TrendMicro’s Zero Day Initiative.

The STAR Labs SG team emerged as the winners of Pwn2Own Berlin 2025, accruing 35 Master of Pwn points and $320,000 in total earnings over the three-day competition. Their successes included successful attacks on Red Hat Enterprise Linux, Docker Desktop, Windows 11, VMware ESXi, and Oracle VirtualBox. Notably, team member Nguyen Hoang Thach received the highest award of $150,000 for exploiting the VMware ESXi hypervisor through an integer overflow vulnerability.

Team Viettel Cyber Security claimed second place, demonstrating zero-day flaws that enabled potential host system escapes from Oracle VirtualBox guests and an exploit chain to compromise Microsoft SharePoint via authentication bypass and insecure deserialization methods.

On the final day, team Reverse Tactics also targeted VMware’s hypervisor software, employing an exploit chain that utilized an integer overflow and an uninitialized variable bug to earn $112,500 and secure third place.

Furthermore, Mozilla has already addressed two zero-day vulnerabilities (CVE-2025-4918 and CVE-2025-4919) showcased during the competition. The resolution involved releasing several updated versions of Firefox, specifically targetting these critical vulnerabilities.

Previously, in March 2024, Mozilla resolved another two zero-day vulnerabilities (CVE-2024-29943 and CVE-2024-29944) that security researcher Manfred Paul demonstrated at the Pwn2Own Vancouver 2024 event.