InfoSecBulletin Cybersecurity for mankind
Pwn2Own Berlin 2025, a top cybersecurity contest, awarded $1,078,750 to researchers who discovered 29 zero-day vulnerabilities in various enterprise technologies. The event highlighted the increasing complexity of attack methods and the need for vendors to strengthen their defenses.
Pwn2Own Berlin 2025, hosted by Trend Micro’s Zero Day Initiative (ZDI) over three days, gathered top hacking teams to test the latest software and hardware on updated operating systems. The event focused on areas like AI, virtualization, cloud applications, browsers, servers, local privilege escalation, and automotive systems. Notably, no attempts were made in the Tesla category this year, despite the company providing test rigs.
AMD discloses 4 new CPU flaws Affecting Many CPUs
GitLab patched XSS and Authorization Bypass Flaws
CVE-2025-7206
Critical D-Link DIR-825 Router Flaw Remote Crash Via Buffer Overflow
Urgently patch now: Zoom Patches 6 Flaws
Whatsapp rival ‘Bitchat’, message without internet
Splunk Addresses Third-Party Package Vulns in SOAR Versions
Texas-based Tax Credit Consultancy agency exposed PII, ID Numbers, & SSNs
CVE-2025-25257
Fortinet Addresses Major SQL Injection Flaw in FortiWeb
Microsoft July 2025 Patch Tuesday: One zero-day, 137 flaws
Android malware Anatsa infiltrates Google Play targeting banks worldwide
The competition revealed 29 new zero-day exploits, highlighting the growing threats to enterprise IT infrastructure. Researchers earned $260,000 on Day 1, $435,000 on Day 2, and $383,750 on Day 3, showcasing the volume and seriousness of the vulnerabilities presented.
Vendors have 90 days to fix these vulnerabilities before ZDI makes them public.
STAR Labs SG was the top performer, earning 35 “Master of Pwn” points and $320,000 in rewards. Their key success was Nguyen Hoang Thach’s integer overflow exploit on VMware ESXi, which won the event’s highest payout of $150,000. They also successfully attacked Red Hat Enterprise Linux, Docker Desktop, Windows 11, and Oracle VirtualBox.
Viettel Cyber Security presented several significant exploit chains, including a virtual machine escape from Oracle VirtualBox to the host and a complex attack on Microsoft SharePoint that exploited an authentication bypass and insecure deserialization.
Reverse Tactics, the third-place team, earned $112,500 on the final day by exploiting an integer overflow and an uninitialized variable bug to breach VMware’s hypervisor, underscoring a persistent vulnerability in virtualization platforms.
Browser-based attack demonstrations led to immediate action. Mozilla quickly released emergency patches for two Firefox zero-day vulnerabilities (CVE-2025-4918 and CVE-2025-4919) exploited during the event. The fixes were implemented in Firefox versions 138.0.4, ESR 128.10.1, ESR 115.23.1, and Firefox for Android shortly after the contest ended.
Mozilla has quickly addressed Pwn2Own exploits for the second consecutive year, patching two zero-days in March 2024 after Pwn2Own Vancouver.
With the patch countdown starting, this year’s Pwn2Own showcased the creativity of ethical hackers and the rising pressure on vendors to protect against complex real-world attacks. The event confirmed Pwn2Own’s role as a key measure of enterprise software resilience.
