Security researchers showcased 28 zero-day vulnerabilities during the Pwn2Own contest held during the OffensiveCon conference in Berlin that ended on Saturday. The flaws allowed ethical hackers to compromise software products used across most enterprises including Microsoft Windows 11, Red Hat Linux for Workstations, Mozilla Firefox, VMware ESXi, VMware Workstation, Oracle VirtualBox, Microsoft SharePoint, Docker, Redis, Chroma, NVIDIA Triton Inference Server and NVIDIA Container Toolkit.
The Pwn2Own contest has been running annually at security conferences for the past 18 years. It is organized by Trend Micro’s Zero Day Initiative (ZDI), a bug bounty program through which researchers can report vulnerabilities to vendors and get paid for reporting them. ZDI uses the advance knowledge of these flaws to develop protection rules for Trend Micro’s customers.
Participating teams of researchers gathered points and monetary rewards for successful attempts at showcasing their exploits against the announced targets. In total, the contest paid out $1,078,750, with $320,000 going to the first place Singapore-based cybersecurity consultancy firm STAR Labs SG.
Privilege escalation exploits
Modern operating systems have strong security domain separation between user space and the critical kernel components and it’s standard practice to not use administrative accounts for usual tasks.
Because of these security measures, privilege escalation exploits have become a highly valuable commodity for hackers as they are needed to completely take over a system after achieving code execution from a limited account by tricking a user to execute malware or after exploiting a remote code execution vulnerability in an application that runs with limited privileges.
During the first day of the event, a researcher identified as Pumpkin from the DEVCORE Research Team used an integer overflow vulnerability to escalate privileges on Red Hat Linux. On the same day, researchers Hyunwoo Kim and Wongi Lee from Theori combined an information leak with a use-after-free flaw to gain root access on Red Hat Linux, though one of the bugs was already known.
Also on day one, researcher Marcin Wiązowski demonstrated an out-of-bounds write flaw to achieve SYSTEM privileges on Windows 11, while researcher Hyeonjin Choi from team Out Of Bounds followed that up with a type confusion bug to escalate privileges on Microsoft’s OS.
Day two saw Gerrard Tai of STAR Labs SG Pte. use a use-after-free memory flaw to achieve privilege escalation on Red Hat Enterprise Linux.
On day three, researcher Angelboy from DEVCORE demonstrated a privilege escalation on Windows 11 by chaining two bugs, but one was already known to Microsoft. This was followed by the STARLabs team who demonstrated an improper validation of array index on Windows.
The category was closed by researcher Miloš Ivanović who used a race condition bug to escalate privileges to SYSTEM. All in all, there were five privilege escalation exploits demonstrated successfully for Windows and two for Red Hat Linux.
Virtual machine and container escapes
Virtualization sits at the core of public cloud infrastructure and private data centers, allowing companies to run their workloads and applications inside isolated containers or virtual servers. Any flaw that allows escaping from the confines of a virtual machine or a Linux container poses a risk not only to the host machine, but also all other virtualized resources running on it.
During the first day at Pwn2Own researchers from Team Prison Break used an integer overflow to escape from Oracle VirtualBox into the host operating system. This was followed up by the STAR Labs team who used a use-after-free bug to perform an escape from the Docker Desktop OS-level container platform and execute code on the underlying OS.
On day two, researchers from Viettel Cyber Security exploited an out-of-bounds write error to achieve a VirtualBox guest-to-host escape and Nguyen Hoang Thach of STARLabs compromised the VMware ESXi hypervisor with a single integer overflow bug – a first in the contest’s history, earning him $150,000 just for this bug alone.
On day three, Nguyen and his colleague Dung from STARLabs used a TOCTOU race condition to escape the Oracle VirtualBox VM while Thomas Bouzerar and Etienne Helluy-Lafont from Synacktiv used a heap-based buffer overflow to exploit VMware Workstation.
Researchers Nir Ohfeld and Shir Tamari of Wiz Research used an external initialization of trusted variables bug to exploit the NVIDIA Container Toolkit, an open-source piece of software that allows users to build and run GPU-accelerated containers.
Remote code execution in browsers and AI tools
Mozilla Firefox was the only target on which exploits were attempted during the context and was compromised twice, on day two by Edouard Bochin and Tao Yan from Palo Alto Networks with an out-of-bounds write and on day three by Manfred Paul who used an integer overflow in the browser’s renderer.
Mozilla already released emergency patches for these two vulnerabilities, now tracked as CVE-2025-4918 and CVE-2025-4919, classifying them as critical severity.
Also, researcher Dinh Ho Anh Khoa of Viettel Cyber Security combined an authentication bypass flaw with an insecure deserialization bug to exploit Microsoft SharePoint.
This was the first edition of the contest to have an AI category which included the Redis in-memory key-value database, the Chroma AI application database and the NVIDIA Triton Inference Server, an AI model deployment and inference software that’s part of NVIDIA’s AI platform. The addition was because organizations are rapidly adopting this technology and are deploying a variety of open-source AI tools and frameworks in the process, often failing to secure them against external attackers. In total, seven of the 28 vulnerabilities disclosed during Pwn2Own this year came from this category.
On day one, a team of researchers from cloud security firm Wiz attempted an exploit against the NVIDIA Triton Inference Server but failed to get it to work within the allotted time. However, on the same day, Sina Kheirkhah of Summoning Team and Viettel Cyber Security successfully demonstrated separate exploits against NVIDIA Triton but both bugs were already known to the vendor, despite not being yet patched. Kheirkhah followed that up with a successful exploit against the Chrome AI database.
On day two, researchers Ho Xuan Ninh and Tri Dang from Qrious Secure demonstrated an exploit against NVIDIA Triton that combined four bugs. Mohand Acherir and Patrick Ventuzelo of FuzzingLabs also demonstrated a successful exploit, but the bug they used was known by the vendor.
Also on day two, researchers Benny Isaacs, Nir Brakha and Sagi Tzadik of Wiz Research managed to exploit the Redis database using a use-after-free exploit.
The final day saw another successful exploit against Triton, again with a bug that turned out to be known to the vendor, by a team of researchers from FPT NightWolf, as well as a failed attempt for a Triton exploit by team STAR Labs who could not get their exploit to work in time.
No Responses