top of page

Pwn2Own Berlin 2026: DEVCORE Wins Master of Pwn with $1.298M in Payouts

  • May 17
  • 3 min read

Key Findings


  • DEVCORE dominated Pwn2Own Berlin 2026, claiming Master of Pwn with 50.5 points and $505,000 in earnings

  • Three-day competition yielded 47 unique zero-days with $1,298,250 in total payouts

  • STARLabs SG finished second with 25 points and $242,500; Out Of Bounds took third with 12.75 points and $95,750

  • Microsoft SharePoint successfully exploited after surviving day two attempt

  • OpenAI Codex compromised three separate times by different researchers using different techniques

  • VMware ESXi breached via memory corruption vulnerability with cross-tenant code execution implications


Background


Pwn2Own Berlin 2026 concluded on the final day of OffensiveCon, representing the culmination of three intense days of security research competition. DEVCORE entered day three with a commanding lead of 40.5 Master of Pwn points and $405,000, a gap that was mathematically difficult to close. The final day featured high-value targets including Microsoft SharePoint, VMware ESXi, Windows 11, Red Hat Enterprise Linux, and OpenAI Codex, with researchers competing to close the gap or secure their positions on the leaderboard.


DEVCORE's Dominant Performance


DEVCORE's victory was sealed when splitline of the DEVCORE Research Team successfully chained two bugs together to exploit Microsoft SharePoint, earning $100,000 and 10 Master of Pwn points. This win brought DEVCORE's final tally to 50.5 points and $505,000, representing a performance without precedent in recent competition history. The team's consistency across all three days demonstrated both technical prowess and strategic target selection.


SharePoint Breakthrough


Microsoft SharePoint had survived a failed attempt by Rapid7's Stephen Fewer on day two, making splitline's successful chain particularly significant. The exploit required chaining two separate vulnerabilities together, demonstrating the complexity of modern enterprise software security. This result added another Microsoft server product to the list of systems compromised during the week.


VMware ESXi Cross-Tenant Vulnerability


Nguyen Hoang Thach of STARLabs SG exploited a memory corruption vulnerability in VMware ESXi that allowed cross-tenant code execution, earning $200,000 and 20 Master of Pwn points. This particular exploit was especially concerning given its implications for multi-tenant virtualization environments where isolation between customers is critical. The vulnerability demonstrated that hypervisor security remains an attractive target for researchers.


OpenAI Codex Pattern of Exploitation


OpenAI Codex was successfully exploited three separate times across the competition by different researchers using distinct techniques. On day three, Satoki Tsuji of Ikotas Labs abused an external control vulnerability to achieve code execution, earning $20,000 and 4 Master of Pwn points. The fact that three different researchers found three different ways to compromise the system suggests a broader attack surface rather than isolated flaws, warranting comprehensive security review within OpenAI's organization.


Windows 11 and Linux Vulnerabilities


Multiple successful exploits targeted Windows 11 throughout the competition, with day three seeing Viettel Cyber Security's team use an integer overflow to escalate privileges on a fully patched system, earning $7,500 and 3 Master of Pwn points. Hyunwoo Kim successfully chained a use-after-free and uninitialized memory bug against Red Hat Enterprise Linux for Workstations, earning $5,000 and 2 Master of Pwn points. These results demonstrated that privilege escalation remains a consistent weakness across major operating systems.


Anthropic Claude Code Collisions


Two attempts targeted Anthropic Claude Code on day three, both resulting in collisions with previously disclosed vulnerabilities. Compass Security and Out Of Bounds each earned $20,000 and 2 Master of Pwn points rather than full wins, as the vulnerabilities they discovered overlapped with earlier submissions. Compass Security had already collected $40,000 for exploiting OpenAI Codex on day one before attempting Claude Code.


Final Leaderboard


STARLabs SG secured second place with 25 points and $242,500 through their strong ESXi exploit. Out Of Bounds took third with 12.75 points and $95,750 after multiple attempts across the three days. The competition demonstrated the depth of talent in the global security research community, with participation spanning multiple countries and research organizations.


Sources


  • https://securityaffairs.com/192250/hacking/pwn2own-berlin-2026-day-three-devcore-crowned-master-of-pwn-1-298-million-total.html

  • https://www.thezdi.com/blog/2026/5/16/pwn2own-berlin-2026-day-three-results-and-master-of-pwn

  • https://malware.news/t/pwn2own-berlin-2026-day-three-results-and-master-of-pwn/107061

  • https://www.bleepingcomputer.com/news/security/windows-11-and-microsoft-edge-hacked-on-first-day-of-pwn2own-berlin-2026/

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page