Pwn2Own Berlin 2026 Pays Out $523,000 as Researchers Exploit Windows 11 and Microsoft Edge
Security researchers earned $523,000 at Pwn2Own Berlin 2026 by demonstrating 24 unique zero-day vulnerabilities. Exploits targeted Windows 11, Microsoft Edge, and other widely used software. The competition highlights the ongoing challenge of securing widely deployed operating systems and browsers.
Security researchers earned $523,000 at Pwn2Own Berlin 2026 by demonstrating 24 unique zero-day vulnerabilities in widely used software. The competition, organized by Trend Micro's Zero Day Initiative, is one of the most prestigious hacking contests in the cybersecurity industry.
Exploits demonstrated at the event targeted Windows 11, Microsoft Edge, and other widely deployed software. Researchers who successfully exploit a vulnerability receive a cash prize and the vendor is notified so it can develop a patch.
The competition highlights the ongoing challenge of securing widely deployed operating systems and browsers. Despite years of security improvements, researchers continue to find new ways to compromise even the most hardened software.
Microsoft warned separately this week about an Exchange zero-day flaw being actively exploited in attacks. The company said it was working on a patch and urged customers to apply mitigations in the meantime.
AI is increasingly being used by both attackers and defenders in cybersecurity. Security researchers are warning that AI-assisted hacking is becoming more sophisticated, enabling attackers to automate vulnerability discovery, phishing campaigns, and malware development at faster speeds.
Microsoft disrupted Fox Tempest, a cybercriminal service that sold fake code-signing certificates to ransomware groups. A new supply-chain campaign called Shai-Hulud pushed more than 600 malicious packages to npm, targeting the JavaScript ecosystem with credential theft and cloud secret harvesting.
The Trump administration is preparing an AI executive order that would encourage frontier AI developers to notify the government and critical infrastructure providers before releasing advanced models. The order reflects growing concern about powerful AI systems creating new cyber risks.
Companies running bug bounty programs are seeing a surge in low-quality AI-generated vulnerability reports, straining their screening processes and making it harder to identify genuine security issues.
