On May 14, Pwn2Own Berlin 2026 commenced with an impressive display of cybersecurity prowess, as researchers collectively earned 3,000 for 24 unique zero-day vulnerabilities. The event’s structure mandates that accepted entries target fully updated systems, ensuring that the discoveries lead to immediate repair and disclosure processes rather than exploiting outdated software.
Among the standout performances was Cheng-Da Tsai, known in the cybersecurity community as Orange Tsai, who achieved a remarkable Edge sandbox escape, earning a substantial 5,000. This accomplishment not only highlighted a significant vulnerability in Microsoft Edge but also underscored the importance of browser security in everyday enterprise environments. On the following day, Tsai escalated his success with a 0,000 exploit chain targeting Microsoft Exchange, which enabled remote code execution at the SYSTEM level.
The sandbox escape demonstrated a breach of Edge’s built-in isolation, revealing a pathway past one of the browser’s critical containment layers. Such exploits are particularly noteworthy as they expose vulnerabilities that could allow attackers to gain higher system access than intended. The breadth of attacks on Windows 11 further illustrated the challenges facing Microsoft, with multiple teams successfully demonstrating various exploits against the operating system.
How Microsoft Landed Among the Day-One Standouts
Official results indicated that Orange Tsai amassed 17.5 Master of Pwn points, contributing significantly to DEVCORE’s early lead in the competition. The Edge exploit became a focal point of the technical narrative, emphasizing the ongoing concern surrounding browser isolation failures. In addition to Tsai’s achievement, other researchers also made their mark: Angelboy and TwinkleStar03 exploited an Improper Access Control vulnerability, earning ,000 for their privilege escalation, while Marcin Wiązowski and Kentaro Kawane added to the day’s successes with their own contributions.
The diversity of successful attacks on Windows 11, each stemming from different exploit paths, presents a more complex challenge for defenders than a single isolated victory. This multiplicity indicates potential systemic issues that may require comprehensive remediation efforts. By the end of the first day, DEVCORE led with a total of 5,000, while Valentina Palmiotti’s team trailed with ,000, largely due to the impact of Tsai’s Edge exploit.
Pwn2Own Berlin 2026 is designed to be more than a one-off event, with organizers announcing a prize pool exceeding ,000,000 across 31 targets, including new categories for AI and NVIDIA technologies. This expansion reflects a growing recognition of the need for robust security across a variety of platforms, from browsers to emerging AI systems. The contest will continue through May 16, allowing for further exploration of vulnerabilities and the potential for additional findings that could either reinforce or expand upon the initial Microsoft results.
What Vendors and Researchers Face Next
As the contest progresses, detailed CVE write-ups and vendor-specific patch schedules are yet to be published. Contest entries must demonstrate arbitrary code execution on the latest operating system versions, raising the bar for what constitutes a successful exploit. Vendors are now tasked with reproducing the accepted chains, identifying root causes, and preparing timely fixes within the established disclosure window.
Following Day Two, the narrative surrounding Microsoft expanded further. Orange Tsai’s successful chaining of three bugs to achieve remote code execution on Microsoft Exchange earned him an additional 0,000 and 20 Master of Pwn points. Meanwhile, Siyeon Wi contributed another local privilege escalation result for Windows 11 using an integer overflow. However, not all attempts were successful; Rapid7’s Stephen Fewer was unable to get his SharePoint exploit operational within the competition’s time constraints.
As of Day Two, Pwn2Own Berlin 2026 had awarded a total of 8,750 for 39 unique vulnerabilities, with DEVCORE leading the Master of Pwn standings at 40.5 points and 5,000 in earnings. The stakes remain high as the contest unfolds, with the potential for further revelations and challenges in the realm of cybersecurity.
