In one of the most competitive and high-stakes cybersecurity contests of the year, Pwn2Own Berlin 2025 concluded with $1,078,750 awarded to security researchers who uncovered 29 zero-day vulnerabilities across a wide range of enterprise technologies. From breaking virtual machines to browser exploits, the contest showcased the growing complexity of attack vectors and the urgency for vendors to bolster defenses.
Enterprise Security Under Siege: Critical Vulnerabilities Found in Leading Platforms
Held over three days, Pwn2Own Berlin 2025, organized by Trend Micro’s Zero Day Initiative (ZDI), brought together elite hacking teams from around the world to probe and exploit the latest software and hardware running fully updated operating systems. The event targeted categories including AI, virtualization, cloud-native applications, browsers, servers, local privilege escalation, and even automotive systems—though no attempts were registered in the Tesla category this year despite the company providing test rigs.
The competition yielded 29 new zero-day exploits, emphasizing the expanding threat landscape in enterprise IT infrastructure. On Day 1 alone, researchers earned $260,000, followed by $435,000 on Day 2, and $383,750 on Day 3, underscoring the sheer volume and severity of the vulnerabilities demonstrated.
According to contest rules, vendors now have 90 days to patch these vulnerabilities before public disclosure by ZDI.
ALSO READ: FCRF Launches Campus Ambassador Program to Empower India’s Next-Gen Cyber Defenders
STAR Labs SG Emerges Champion with High-Impact Virtualization Exploit
The standout performer was STAR Labs SG, which clinched the top position with 35 “Master of Pwn” points and $320,000 in rewards. Their crowning achievement came when Nguyen Hoang Thach executed an integer overflow exploit on VMware ESXi, earning the highest single payout of the event—$150,000. STAR Labs also demonstrated successful attacks against Red Hat Enterprise Linux, Docker Desktop, Windows 11, and Oracle VirtualBox.
In second place, Viettel Cyber Security showcased multiple high-impact exploit chains, including a virtual machine escape from Oracle VirtualBox to the host and a sophisticated chain targeting Microsoft SharePoint, exploiting an authentication bypass and insecure deserialization.
Reverse Tactics, the third-place team, earned $112,500 on the final day by chaining an integer overflow and uninitialized variable bug to breach VMware’s hypervisor again—highlighting the recurring weakness in virtualization platforms.
Real-World Impact: Mozilla Moves Swiftly, Enterprise Vendors on Alert
Demonstrations of browser-based attacks also had immediate real-world effects. Mozilla acted quickly, releasing emergency patches for two Firefox zero-day vulnerabilities (CVE-2025-4918 and CVE-2025-4919) exploited at the event. The fixes were pushed across Firefox 138.0.4, ESR 128.10.1, ESR 115.23.1, and Firefox for Android, just days after the contest concluded.
This marks the second year in a row Mozilla has responded promptly to Pwn2Own exploits, having patched two earlier zero-days in March 2024 following Pwn2Own Vancouver.
As the patch countdown begins, this year’s Pwn2Own highlighted not only the ingenuity of ethical hackers but also the growing pressure on enterprise vendors to defend against increasingly sophisticated real-world attack chains. The event once again reaffirmed Pwn2Own’s status as a critical barometer of enterprise software resilience.