InfoSecBulletin Cybersecurity for mankind
Pwn2Own Berlin 2025, a top cybersecurity contest, awarded $1,078,750 to researchers who discovered 29 zero-day vulnerabilities in various enterprise technologies. The event highlighted the increasing complexity of attack methods and the need for vendors to strengthen their defenses.
Pwn2Own Berlin 2025, hosted by Trend Micro’s Zero Day Initiative (ZDI) over three days, gathered top hacking teams to test the latest software and hardware on updated operating systems. The event focused on areas like AI, virtualization, cloud applications, browsers, servers, local privilege escalation, and automotive systems. Notably, no attempts were made in the Tesla category this year, despite the company providing test rigs.
184 Million Leaked Credentials Discovered in Open Database
Palo Alto Networks Warns of XSS Flaw: PoC Released
Pwn2Own Berlin reveals 29 critical vulns in major tech firms
High-Severity Flaw Hits Atlassian Jira Data Center
All major mobile networks go down across Spain
Researchers found 200 billion files exposed in cloud buckets
Bank server compromised using customer’s mobile, steal ₹11 crore
“InfoSecCon-2025″ held successfully promising cyber resilience
Intel PC, laptop and server processors affected for 6 years: Report
CVSS 10.0 Flaw
Critical flaw in Siemens OZW Web Servers Enable Unauthenticated RCE
The competition revealed 29 new zero-day exploits, highlighting the growing threats to enterprise IT infrastructure. Researchers earned $260,000 on Day 1, $435,000 on Day 2, and $383,750 on Day 3, showcasing the volume and seriousness of the vulnerabilities presented.
Vendors have 90 days to fix these vulnerabilities before ZDI makes them public.
STAR Labs SG was the top performer, earning 35 “Master of Pwn” points and $320,000 in rewards. Their key success was Nguyen Hoang Thach’s integer overflow exploit on VMware ESXi, which won the event’s highest payout of $150,000. They also successfully attacked Red Hat Enterprise Linux, Docker Desktop, Windows 11, and Oracle VirtualBox.
Viettel Cyber Security presented several significant exploit chains, including a virtual machine escape from Oracle VirtualBox to the host and a complex attack on Microsoft SharePoint that exploited an authentication bypass and insecure deserialization.
Reverse Tactics, the third-place team, earned $112,500 on the final day by exploiting an integer overflow and an uninitialized variable bug to breach VMware’s hypervisor, underscoring a persistent vulnerability in virtualization platforms.
Browser-based attack demonstrations led to immediate action. Mozilla quickly released emergency patches for two Firefox zero-day vulnerabilities (CVE-2025-4918 and CVE-2025-4919) exploited during the event. The fixes were implemented in Firefox versions 138.0.4, ESR 128.10.1, ESR 115.23.1, and Firefox for Android shortly after the contest ended.
Mozilla has quickly addressed Pwn2Own exploits for the second consecutive year, patching two zero-days in March 2024 after Pwn2Own Vancouver.
With the patch countdown starting, this year’s Pwn2Own showcased the creativity of ethical hackers and the rising pressure on vendors to protect against complex real-world attacks. The event confirmed Pwn2Own’s role as a key measure of enterprise software resilience.
