Pwn2Own, the annual computer hacking contest, recently concluded at the OffensiveCon conference in Berlin, Germany, which was held between May 15 and May 17, 2025. The event, organized by Trend Micro’s Zero Day Initiative (ZDI), marked the first European edition of the renowned hacking competition.
In a remarkable display of cybersecurity prowess, researchers at Pwn2Own Berlin 2025 collectively earned $1,078,750 by uncovering and exploiting 28 previously unknown vulnerabilities, known as zero-day exploits, in multiple categories, including virtualization, web browser, enterprise applications, server, local escalation of privilege (EoP), cloud/container, automotive and AI.
What Is Pwn2Own?ย
Pwn2Own is a hacking competition where ethical hackers, cybersecurity experts, and several other contestants target the latest and most widely used mobile devices, showcasing their ability to uncover and exploit critical zero-day vulnerabilities.
Those who succeed not only earn cash rewards but also get to keep the devices theyโve compromised.
Following the hacking event, tech vendors are given 90 days to address the reported vulnerabilities. Once this period ends, ZDI publicly discloses the flaws, regardless of whether a patch has been released.
Highlights From The Competition
Day 1
On Day 1 of Pwn2Own Berlin 2025, several successful exploits were demonstrated, earning researchers a total of $260,000. The dayโs highest single reward of $60,000, along with 6 Master of Pwn points, went to Billy and Ramdhan of STAR Labs, who used a UAF bug to escape Docker Desktop and execute code on the underlying system.
Further, Team Prison Break leveraged an integer overflow to escape Oracle VirtualBox and execute code on the host OS, earning them $40,000 and 4 Master of Pwn points.
Day 2
Day 2 of Pwn2Own Berlin saw a total of $435,000 being awarded for various successful exploits, bringing the contest total to $695,000. The day featured 20 unique 0-day vulnerabilities with Nguyen Hoang Thach of STARLabs SG making Pwn2Own history by using a single integer overflow to exploit VMware ESXi, securing the dayโs highest payout of $150,000.
Further, Viettel Cyber Security demonstrated a powerful combination of authentication bypass and insecure deserialization to compromise Microsoft SharePoint, earning $100,000.
Day 3
On Day 3 of Pwn2Own Berlin 2025, several teams delivered successful exploits across a variety of platforms, contributing to a total of $383,750 in rewards. Corentin BAYET of REverse Tactics earned the highest single reward of the dayโ$112,500โas well as 11.5 Master of Pwn points for a partially colliding ESXi exploit that included a unique integer overflow.
Similarly, Thomas Bouzerar and Etienne Helluy-Lafont from Synacktiv earned $80,000 and 8 Master of Pwn points for using a heap-based buffer overflow to exploit VMware Workstation.
Overall Summary Of Pwn2Own Berlin 2025
The three-day Pwn2Own Berlin 2025 hacking competition saw contestants disclosing 28 unique zero-day exploits โ seven of which came from the AI category โ and winning a combined $1,078,750.
STAR Labs SG dominated the competition and took home the Master of Pwn title that earning them $320,000 in payout and a total of 35 points for their exploits. Viettel Cyber Security came in second place with a payout of $155,000 and 15.5 points.
They were followed by Reverse Tactics in third place on the leaderboard who got a total payout of $112,500 and 11.25 points.
