InfoSecBulletin Cybersecurity for mankind
Pwn2Own Berlin 2025, a top cybersecurity contest, awarded $1,078,750 to researchers who discovered 29 zero-day vulnerabilities in various enterprise technologies. The event highlighted the increasing complexity of attack methods and the need for vendors to strengthen their defenses.
Pwn2Own Berlin 2025, hosted by Trend Micro’s Zero Day Initiative (ZDI) over three days, gathered top hacking teams to test the latest software and hardware on updated operating systems. The event focused on areas like AI, virtualization, cloud applications, browsers, servers, local privilege escalation, and automotive systems. Notably, no attempts were made in the Tesla category this year, despite the company providing test rigs.
India’s Tata Electronics hit by cyber breach
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
The competition revealed 29 new zero-day exploits, highlighting the growing threats to enterprise IT infrastructure. Researchers earned $260,000 on Day 1, $435,000 on Day 2, and $383,750 on Day 3, showcasing the volume and seriousness of the vulnerabilities presented.
Vendors have 90 days to fix these vulnerabilities before ZDI makes them public.
STAR Labs SG was the top performer, earning 35 “Master of Pwn” points and $320,000 in rewards. Their key success was Nguyen Hoang Thach’s integer overflow exploit on VMware ESXi, which won the event’s highest payout of $150,000. They also successfully attacked Red Hat Enterprise Linux, Docker Desktop, Windows 11, and Oracle VirtualBox.
Viettel Cyber Security presented several significant exploit chains, including a virtual machine escape from Oracle VirtualBox to the host and a complex attack on Microsoft SharePoint that exploited an authentication bypass and insecure deserialization.
Reverse Tactics, the third-place team, earned $112,500 on the final day by exploiting an integer overflow and an uninitialized variable bug to breach VMware’s hypervisor, underscoring a persistent vulnerability in virtualization platforms.
Browser-based attack demonstrations led to immediate action. Mozilla quickly released emergency patches for two Firefox zero-day vulnerabilities (CVE-2025-4918 and CVE-2025-4919) exploited during the event. The fixes were implemented in Firefox versions 138.0.4, ESR 128.10.1, ESR 115.23.1, and Firefox for Android shortly after the contest ended.
Mozilla has quickly addressed Pwn2Own exploits for the second consecutive year, patching two zero-days in March 2024 after Pwn2Own Vancouver.
With the patch countdown starting, this year’s Pwn2Own showcased the creativity of ethical hackers and the rising pressure on vendors to protect against complex real-world attacks. The event confirmed Pwn2Own’s role as a key measure of enterprise software resilience.
