Cybersecurity May 16, 2026 · 3 min read

Pwn2Own Berlin Researchers Collect $908,750 for 39 Zero-Days in Two Days — Your Enterprise Software Just Got a Very Public Performance Review

🤚 The Open-Palm Exploit Buffet

The second day of Pwn2Own Berlin 2026 concluded on May 15 with security researchers collecting $385,750 in prize money after successfully demonstrating 15 unique zero-day vulnerabilities across Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux for Workstations.

This follows Day 1’s haul of $523,000 for 24 zero-days targeting Windows 11 and Microsoft Edge. The two-day combined total: $908,750 paid out for 39 zero-day vulnerabilities that, until this week, existed happily in production systems worldwide.

To put it plainly: the software running your enterprise email server, your desktop operating system, and your Linux workstations all contained undiscovered critical vulnerabilities that researchers found, weaponized, and demonstrated on stage — for what amounts to a rounding error on Microsoft’s quarterly revenue.

  • Windows 11: Exploited on both Day 1 and Day 2
  • Microsoft Exchange: Compromised during Day 2 demonstrations
  • Red Hat Enterprise Linux: Workstation edition breached
  • Microsoft Edge: Fell on Day 1
  • Total payouts across both days: $908,750

👐 The Two-Handed Vulnerability Tasting

Pwn2Own occupies a peculiar space in the cybersecurity ecosystem. It is simultaneously the industry’s most prestigious competition and its most embarrassing annual audit. Every successful exploit is both a triumph of security research and an indictment of the billions spent on secure development lifecycles, code review tools, and that one mandatory security training video everyone clicks through in January.

Microsoft Exchange being compromised at a hacking competition in 2026 is the kind of thing that should make enterprise IT administrators physically ill. Exchange has been the vector for ProxyLogon, ProxyShell, ProxyNotShell, and approximately seventeen other named vulnerabilities that all sound like rejected energy drink brands. At this point, discovering a new Exchange zero-day is less “breaking news” and more “Tuesday.”

The Red Hat Enterprise Linux exploitation is particularly noteworthy because RHEL is the operating system that serious organizations choose specifically because they believe it to be more secure than the alternatives. It is the Linux distribution that comes with a support contract and a reputation. That reputation just took a $385,750 hit.

And Windows 11 — Microsoft’s latest, most secure, most hardware-requirement-demanding operating system — was exploited on both days. The TPM chip requirement, the Secure Boot enforcement, the VBS protections: all present, all presumably functional, all ultimately insufficient against a researcher with a laptop and professional motivation.

🌿 The Gentle Awakening

There is something almost meditative about the annual Pwn2Own ritual. Every year, the world’s most hardened software is placed on a stage. Every year, it falls. Every year, vendors issue patches. Every year, we return to the stage with the patched software. Every year, it falls again.

This is not a failure of effort. Microsoft, Red Hat, and Google employ some of the finest security engineers on Earth. Their SDL processes are rigorous. Their bug bounty programs are generous. And yet, thirty-nine zero-days in two days. The attack surface of modern software is not a wall — it is a fractal, and every magnification reveals new crevices.

The researchers who find these vulnerabilities are doing the world a service. The alternative — where these bugs are discovered by state-sponsored threat actors who do not report them to vendors — is considerably worse. Pwn2Own is expensive therapy for an industry that cannot stop producing broken code.

👑 The Gold-Leaf Patch Tuesday Prophecy

Here is the arithmetic that should concern every CISO watching from the audience: $908,750 bought disclosure of 39 zero-days. That’s roughly $23,000 per vulnerability. On the gray market, a single Windows zero-day with remote code execution sells for $500,000 to $2 million. An Exchange zero-day? More.

The only reason these vulnerabilities were disclosed responsibly is that Pwn2Own exists and that its participants choose legitimate fame over illegitimate fortune. The entire responsible disclosure ecosystem rests on the premise that researchers will accept five-figure payouts when six- and seven-figure alternatives exist. That premise holds — until it doesn’t.

Every vendor whose product was compromised this week now has 90 days to ship a patch. The countdown is public. The vulnerabilities are confirmed. Somewhere, a threat intelligence team is reverse-engineering what they can from the competition footage. The next Patch Tuesday just got considerably heavier.

“Thirty-nine zero-days in forty-eight hours and the total payout was less than a Series A lawyer’s fee. We are protected by the goodwill of people who could buy yachts with what they know. Sleep well.” — The Slap of Wisdom Vulnerability Desk, refreshing the CVE database with increasing urgency