Exploitation of Zero-Day Vulnerabilities in VMware ESXi and Microsoft SharePoint Uncovered at Pwn2Own

Publish date: 16.05.2025

Blog

16.05.2025

During the second day of the Pwn2Own Berlin 2025 event, competitors achieved remarkable success by identifying and exploiting zero-day vulnerabilities in several high-profile products, collectively earning $435,000. The identified vulnerabilities affected systems including Microsoft SharePoint, VMware ESXi, Oracle VirtualBox, Red Hat Enterprise Linux, and Mozilla Firefox.

A standout moment of the competition was the demonstration by Nguyen Hoang Thach from STARLabs SG, who successfully exploited an integer overflow vulnerability in VMware ESXi, garnering a reward of $150,000. Similarly, Dinh Ho Anh Khoa from Viettel Cyber Security earned $100,000 by exploiting Microsoft SharePoint through a combination of an authentication bypass and an insecure deserialization flaw.

Additional impressive exploits included an out-of-bounds write vulnerability in Mozilla Firefox researched by Palo Alto Networks’ Edouard Bochin and Tao Yan. Gerrard Tai from STAR Labs SG managed to escalate privileges to root on Red Hat Enterprise Linux via a use-after-free vulnerability, and Viettel Cyber Security demonstrated another out-of-bounds write flaw resulting in a guest-to-host escape in Oracle VirtualBox.

In the newly introduced AI category, researchers from Wiz Research exploited a use-after-free zero-day affecting Redis, while Qrious Secure successfully linked four vulnerabilities to compromise Nvidia’s Triton Inference Server.

The competition also saw significant rewards during the first day, where participants earned $260,000 by exploiting zero-day vulnerabilities in Windows 11, Red Hat Linux, and Oracle VirtualBox. This brought the cumulative earnings over the first two days to an impressive total of $695,000, showcasing 20 unique zero-day vulnerabilities.

The Pwn2Own Berlin 2025 competition, which emphasizes enterprise technologies and introduces an AI category for the first time, is being held as part of the OffensiveCon conference, running from May 15 to May 17. Participants stand to earn over $1,000,000 by successfully demonstrating zero-day vulnerabilities across a variety of categories, including AI, web browsers, virtualization, local privilege escalation, servers, enterprise applications, cloud-native/container environments, and automotive systems.

While the event has attracted considerable interest, no attempts to exploit Tesla vulnerabilities were recorded prior to the contest, despite the availability of two 2025 Tesla Model Y and 2024 Tesla Model 3 bench-top units as targets.

As the competition draws to a close, participants are poised to exploit remaining zero-day vulnerabilities in products such as Windows 11, Oracle VirtualBox, VMware ESXi, VMware Workstation, Mozilla Firefox, as well as Nvidia’s Triton Inference Server and Container Toolkit.

Following the identification of these vulnerabilities during Pwn2Own, vendors will have a 90-day window to issue security patches before the Zero Day Initiative, under Trend Micro, publishes technical details on the vulnerabilities.