The Pwn2Own Berlin 2025 hacking contest concluded successfully in Germany just last week. Trend Micro’s Zero Day Initiative (ZDI) organized this prestigious cybersecurity research event. Over one million dollars were paid out to skilled white hat hacker participants. ZDI announced hackers earned a total of $1,078,750 for finding new critical flaws. This impressive amount was awarded for successfully demonstrating 28 previously unknown vulnerabilities. These discovered flaws spanned operating systems and also newly included AI product categories. Vulnerabilities were also found in container software browsers virtualization software and various servers. The competition showcased many significant new exploits against widely used technology products.
This Pwn2Own event was notably the first to include a dedicated AI hacking category. A total of $140,000 was earned by researchers for successful AI product exploits. Targets included the Chroma open source AI application database and NVIDIA’s Triton Inference Server. NVIDIA’s Container Toolkit was also part of the newly introduced AI exploitation challenges. The biggest single reward presented at the entire event was a substantial $150,000. This top prize went to the talented STAR Labs SG hacking team for their work. They achieved the first ever VMware ESXi hypervisor hack in Pwn2Own competition history. A second distinct VMware ESXi exploit earned another researcher a payment of $112,500. A Microsoft SharePoint exploit also secured a significant $100,000 prize for the finders.
A VMware Workstation exploit demonstration successfully earned its researchers a prize of $80,000.
An exploit chain that combined an Oracle VirtualBox escape earned a total of $70,000. This complex chain also included a valuable Windows operating system privilege escalation component. Participants at the event were awarded $40,000 each for successfully exploiting Redis. Other separate Oracle VirtualBox exploits also paid out individual cash awards of $40,000. Two different Firefox web browser exploits earned skilled participants $50,000 for each one. These particular Firefox exploits did not include a more difficult sandbox escape component. Achieving a sandbox escape would have effectively doubled their total monetary prize value. Mozilla commendably rushed to address these disclosed Firefox vulnerabilities within the same day. They promptly released security patches to protect all Firefox users from these new threats.
The highly skilled STAR Labs SG team ultimately won the entire Pwn2Own Berlin contest. They earned a remarkable grand total of $320,000 for their various successful exploits. Interestingly some targeted categories saw no exploitation attempts made by any participants. This notably included the challenging enterprise software category which featured popular business applications. For example Adobe Reader and various Microsoft 365 apps remained uncompromised in this section. The popular automotive hacking category also had no successful hacking attempts recorded this year. This specific category notably offered very large prizes up to $500,000 for contestants. Hacking a modern Tesla vehicle was a major challenge presented in the automotive category. This outcome suggests some targets remain extremely difficult to compromise even for experts.
Reference:
