Pwn2Own Berlin 2026: Microsoft Exchange and Windows 11 Hacked

On May 17, 2026, the second day of the Pwn2Own competition in Berlin, security researchers exploited a total of 15 unique zero-day vulnerabilities in various software products. Participants received prize money totaling $385,750. The affected products include Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux for Workstations. The event regularly attracts security experts and hackers who demonstrate their skills while highlighting vulnerabilities in widely used software.

This year, the vulnerabilities in Windows 11 and Microsoft Exchange were classified as particularly severe, as they could potentially have far-reaching impacts on businesses and end users. A team of security researchers was able to exploit a critical vulnerability in Microsoft Exchange that allows attackers to gain unauthorized access to email accounts. This vulnerability could practically lead to the compromise of sensitive information. The exact CVE number for this vulnerability has not yet been released. Another team focused on Windows 11 and demonstrated an exploit technique that enabled them to take control of the operating system.

This technique could be used in the real world to install malware or steal data. The security researchers also pointed out that the vulnerability was hidden in the user interface of Windows 11, making it harder to detect. The organizers of the Pwn2Own competition emphasized that discovering such vulnerabilities is crucial for improving cybersecurity. Participants are encouraged to share their findings with the affected companies to enable them to secure their products. The prize money awarded during the competition serves as an incentive for security researchers to test their skills and find vulnerabilities.

This year, the highest awards were given for the discovery of vulnerabilities in Microsoft Exchange and Windows 11, underscoring the importance of these products in the corporate landscape. The Pwn2Own event has gained significance in recent years as cyberattacks become increasingly sophisticated. The discovery of zero-day vulnerabilities is critical for companies to prepare against potential attacks. The security community views such competitions as a way to foster collaboration between researchers and companies. The next phase of the competition will take place on May 18, 2026, where further vulnerabilities in other software products are expected.

The organizers have already announced that participants can also expect high prize money in this round, further increasing the motivation to discover new vulnerabilities. The vulnerabilities discovered during the competition will be investigated by the affected companies in the coming weeks. Microsoft has already announced that they are working on an update to address the vulnerabilities in Windows 11 and Microsoft Exchange. However, a specific date for the release of the update is still pending. The vulnerability in Microsoft Exchange could potentially affect thousands of companies worldwide, according to expert estimates. The exact number of affected systems is currently being determined to better assess the impact of the vulnerability.