Pwn2Own Berlin 2026: DEVCORE Wins with 47 Zero-Days and $1.29M in Payouts

Severity: High (Score: 64.5)

Sources: Securityaffairs.Co, Thezdi

Summary

Pwn2Own Berlin 2026 concluded with DEVCORE being crowned Master of Pwn after discovering 47 unique zero-days, leading to total payouts of $1,298,250. The competition showcased significant vulnerabilities, including exploits targeting SharePoint and ESXi. Participants demonstrated various attack vectors, with DEVCORE dominating across categories. The event highlighted the ongoing threat landscape, as researchers exploited critical systems, including Red Hat Linux. The total amount awarded during the event reached $1,298,250, surpassing the million-dollar threshold. The event took place over three days, culminating on May 16, 2026, at OffensiveCon. The findings from Pwn2Own are crucial for organizations to enhance their security postures against emerging threats. Key Points: • DEVCORE discovered 47 unique zero-days, earning $1.29 million in total payouts. • The competition included significant targets like SharePoint and ESXi, showcasing critical vulnerabilities. • Sina Kheirkhah earned $7,000 for exploiting Red Hat Linux with a combination of known and unknown bugs.

Key Entities

• Zero-day Exploit (attack_type)
• ESXi (platform)
• Red Hat Linux (platform)
• SharePoint (platform)