At Pwn2Own Berlin 2026, security researchers unveiled critical zero-day vulnerabilities in Microsoft Exchange and Windows 11, highlighting significant security concerns for enterprise environments.
Microsoft Exchange Remote Code Execution
Orange Tsai of DEVCORE demonstrated a remote code execution (RCE) exploit on Microsoft Exchange by chaining three vulnerabilities, achieving SYSTEM-level privileges. This exploit earned Tsai $200,000 and 20 Master of Pwn points, marking it as the event’s highest-value exploit to date. Such an attack could allow adversaries to fully control enterprise email systems, facilitating espionage and data exfiltration.
Windows 11 Privilege Escalation
Siyeon Wi successfully exploited an integer overflow vulnerability in Windows 11, enabling privilege escalation. This exploit earned Wi $7,500. While the payout was smaller, the vulnerability is critical as it can allow attackers to gain full system control from limited access.
These findings underscore the persistent security challenges in widely used enterprise software. Organizations should prioritize patching these vulnerabilities promptly to mitigate potential risks.
Source: Cyber Security News
