Pwn2Own Berlin 2026: DEVCORE Wins Master of Pwn with $1.298M in Payouts
- May 17
- 3 min read
Key Findings
DEVCORE dominated Pwn2Own Berlin 2026, claiming Master of Pwn with 50.5 points and $505,000 in earnings
Three-day competition yielded 47 unique zero-days with $1,298,250 in total payouts
STARLabs SG finished second with 25 points and $242,500; Out Of Bounds took third with 12.75 points and $95,750
Microsoft SharePoint successfully exploited after surviving day two attempt
OpenAI Codex compromised three separate times by different researchers using different techniques
VMware ESXi breached via memory corruption vulnerability with cross-tenant code execution implications
Background
Pwn2Own Berlin 2026 concluded on the final day of OffensiveCon, representing the culmination of three intense days of security research competition. DEVCORE entered day three with a commanding lead of 40.5 Master of Pwn points and $405,000, a gap that was mathematically difficult to close. The final day featured high-value targets including Microsoft SharePoint, VMware ESXi, Windows 11, Red Hat Enterprise Linux, and OpenAI Codex, with researchers competing to close the gap or secure their positions on the leaderboard.
DEVCORE's Dominant Performance
DEVCORE's victory was sealed when splitline of the DEVCORE Research Team successfully chained two bugs together to exploit Microsoft SharePoint, earning $100,000 and 10 Master of Pwn points. This win brought DEVCORE's final tally to 50.5 points and $505,000, representing a performance without precedent in recent competition history. The team's consistency across all three days demonstrated both technical prowess and strategic target selection.
SharePoint Breakthrough
Microsoft SharePoint had survived a failed attempt by Rapid7's Stephen Fewer on day two, making splitline's successful chain particularly significant. The exploit required chaining two separate vulnerabilities together, demonstrating the complexity of modern enterprise software security. This result added another Microsoft server product to the list of systems compromised during the week.
VMware ESXi Cross-Tenant Vulnerability
Nguyen Hoang Thach of STARLabs SG exploited a memory corruption vulnerability in VMware ESXi that allowed cross-tenant code execution, earning $200,000 and 20 Master of Pwn points. This particular exploit was especially concerning given its implications for multi-tenant virtualization environments where isolation between customers is critical. The vulnerability demonstrated that hypervisor security remains an attractive target for researchers.
OpenAI Codex Pattern of Exploitation
OpenAI Codex was successfully exploited three separate times across the competition by different researchers using distinct techniques. On day three, Satoki Tsuji of Ikotas Labs abused an external control vulnerability to achieve code execution, earning $20,000 and 4 Master of Pwn points. The fact that three different researchers found three different ways to compromise the system suggests a broader attack surface rather than isolated flaws, warranting comprehensive security review within OpenAI's organization.
Windows 11 and Linux Vulnerabilities
Multiple successful exploits targeted Windows 11 throughout the competition, with day three seeing Viettel Cyber Security's team use an integer overflow to escalate privileges on a fully patched system, earning $7,500 and 3 Master of Pwn points. Hyunwoo Kim successfully chained a use-after-free and uninitialized memory bug against Red Hat Enterprise Linux for Workstations, earning $5,000 and 2 Master of Pwn points. These results demonstrated that privilege escalation remains a consistent weakness across major operating systems.
Anthropic Claude Code Collisions
Two attempts targeted Anthropic Claude Code on day three, both resulting in collisions with previously disclosed vulnerabilities. Compass Security and Out Of Bounds each earned $20,000 and 2 Master of Pwn points rather than full wins, as the vulnerabilities they discovered overlapped with earlier submissions. Compass Security had already collected $40,000 for exploiting OpenAI Codex on day one before attempting Claude Code.
Final Leaderboard
STARLabs SG secured second place with 25 points and $242,500 through their strong ESXi exploit. Out Of Bounds took third with 12.75 points and $95,750 after multiple attempts across the three days. The competition demonstrated the depth of talent in the global security research community, with participation spanning multiple countries and research organizations.
Sources
https://securityaffairs.com/192250/hacking/pwn2own-berlin-2026-day-three-devcore-crowned-master-of-pwn-1-298-million-total.html
https://www.thezdi.com/blog/2026/5/16/pwn2own-berlin-2026-day-three-results-and-master-of-pwn
https://malware.news/t/pwn2own-berlin-2026-day-three-results-and-master-of-pwn/107061
https://www.bleepingcomputer.com/news/security/windows-11-and-microsoft-edge-hacked-on-first-day-of-pwn2own-berlin-2026/

Comments