Pwn2Own Berlin Day 2: Exchange RCE Chain Earns $200K, 15 Zero-Days Fall

Day two of Pwn2Own Berlin 2026 produced 15 new zero-day vulnerabilities and $385,750 in awards, pushing the event total to $908,750 across 39 unique security flaws. The highlight came from Orange Tsai of DEVCORE, who chained three bugs to achieve remote code execution as SYSTEM on Microsoft Exchange Server.

The competition continues through May 16 at the OffensiveCon conference, with AI platforms proving as vulnerable as traditional enterprise software.

Orange Tsai's Exchange Server Chain

The competition's single largest payout went to Orange Tsai for a Microsoft Exchange Server exploit chain worth $200,000 and 20 Master of Pwn points. The attack combined three distinct vulnerabilities to achieve SYSTEM-level code execution on a fully patched Exchange installation.

This demonstration comes at an awkward time for Microsoft, which is currently dealing with CVE-2026-42897, a separate Exchange zero-day already under active exploitation in the wild. Exchange administrators now face two distinct attack vectors targeting their on-premises deployments.

Orange Tsai has a history of Exchange research, having previously discovered ProxyLogon vulnerabilities that were mass-exploited in 2021.

Full Day Two Results

According to the Zero Day Initiative's official results, researchers successfully compromised:

Target	Researcher	Vulnerability Type	Prize
Microsoft Exchange	Orange Tsai (DEVCORE)	3-bug RCE chain to SYSTEM	$200,000
Cursor	Le Duc Anh Vu (Viettel)	Code execution	$30,000
NV Container Toolkit	0xDACA & Noam Trobinski	Use-after-free	$25,000
LM Studio	OtterSec team	Code injection	$20,000
OpenAI Codex	Sina Kheirkhah (Summoning Team)	Undisclosed	$20,000
Cursor	Compass Security	Undisclosed	$15,000
Red Hat Enterprise Linux	Ben Koo (Team DDOS)	Use-after-free privilege escalation	$10,000
Windows 11	Siyeon Wi	Integer overflow privilege escalation	$7,500

Several attempts failed to demonstrate within the 30-minute time limit, including exploits targeting Apple Safari, Microsoft SharePoint, and Mozilla Firefox.

AI Platforms Continue to Fall

Building on Day One's results, AI development tools remained soft targets. Researchers demonstrated vulnerabilities in:

• LM Studio via code injection
• Cursor (compromised twice by different teams)
• OpenAI Codex via undisclosed technique
• Claude Desktop (known vulnerability collision, $10,000 award)

The AI category was introduced for Pwn2Own Berlin 2026, and the results suggest AI agent platforms share many of the same vulnerability classes as traditional software. Code injection, insufficient sandboxing, and trust boundary violations appear throughout the AI targets.

Collision Payouts

When multiple researchers discover the same vulnerability independently, Pwn2Own awards reduced payouts:

• Sina Kheirkhah received $10,000 for Claude Desktop (collision)
• STARLabs received $2,500 for NVIDIA Megatron Bridge (collision)
• Out Of Bounds received $28,000 for Ollama and $17,750 for LiteLLM (partial collisions)

Collisions indicate these vulnerabilities are discoverable by multiple skilled researchers, which raises the probability that malicious actors have found them as well.

Event Standings

After two days, the leaderboard shows:

1. Orange Tsai (DEVCORE) - leading with the Exchange chain
2. Viettel Cyber Security - consistent performance across targets
3. STARLabs - multiple successful demonstrations

Day three continues today with additional attempts against AI infrastructure, browsers, and enterprise software.

Why This Matters

Pwn2Own serves as a pressure test for vendor security programs. Every vulnerability demonstrated here gets reported to vendors, who typically have 90 days to patch before public disclosure.

The Exchange RCE chain is particularly significant given Microsoft's current struggle with CVE-2026-42897. Organizations running on-premises Exchange now know that at least four distinct zero-day vulnerabilities exist in their deployments: one under active exploitation and three more awaiting patches from the Pwn2Own disclosures.

For AI platform developers, the message is clear. The same vulnerability classes that plagued traditional software for decades are present in AI tooling. LiteLLM's recent SQL injection issues showed how quickly these flaws get exploited once discovered. The Pwn2Own results suggest there's more to find.