Pwn2Own Berlin 2026: 47 Zero-Days in Enterprise Tech Expose What Scanners Miss

In three days at OffensiveCon in Berlin, 27 security research teams chained 47 previously unknown vulnerabilities in Microsoft Exchange, SharePoint, Windows 11, VMware ESXi, Edge, and multiple AI platforms — collecting $1,298,250 in bounties. Every one of those zero-days existed in production systems that passed routine vulnerability scans. For CISOs managing SAMA-regulated infrastructure, the results are a direct stress test of assumptions about patch management, network segmentation, and vendor trust.

What Fell at Pwn2Own Berlin 2026

The competition ran May 14–16, 2026, with categories spanning enterprise applications, virtualization, browsers, servers, and — for the first time at this scale — AI and machine learning platforms. DEVCORE Research Team dominated with 50.5 Master of Pwn points and $505,000, including a $200,000 payout for achieving remote code execution with SYSTEM privileges on Microsoft Exchange Server by chaining an authentication bypass with a deserialization flaw. STARLabs SG earned $200,000 for a VMware ESXi exploit that included cross-tenant code execution — a scenario that should alarm any organization relying on shared virtualization infrastructure.

Microsoft SharePoint fell to a two-bug chain from DEVCORE's splitline, worth $100,000. Edge's sandbox was escaped for $175,000. Windows 11 kernel-level privilege escalation was demonstrated multiple times across different attack surfaces. On the AI front, LiteLLM — a popular proxy used to abstract LLM API calls — was compromised, and researchers demonstrated exploitation paths against enterprise AI orchestration tools that many organizations have deployed without the same rigor applied to traditional infrastructure.

Day-by-Day Breakdown: Speed and Severity

Day one alone produced 24 unique zero-days and $523,000 in awards. Researchers demonstrated that the attack surface in enterprise environments is far broader than most security teams budget for. Day two added 15 more zero-days worth $385,750, with virtualization escapes being the dominant theme — VMware ESXi and Workstation both fell. Day three closed the competition with eight additional zero-days and $389,500, including the Exchange RCE chain that drew the highest single payout.

The speed at which researchers moved from initial access to full compromise is instructive. Several exploit chains were demonstrated in under two minutes on stage, suggesting that the reconnaissance and development work behind them had identified deeply embedded architectural weaknesses — not just surface-level input validation errors. Under ZDI's responsible disclosure policy, vendors now have 90 days to ship patches before technical details become public.

The AI Attack Surface No One Budgeted For

Pwn2Own Berlin 2026 marked the first major competitive focus on AI infrastructure. LiteLLM, used by enterprises to route requests across OpenAI, Anthropic, and Azure endpoints, was exploited through an authentication bypass that gave attackers access to all downstream API keys and conversation logs. Enterprise AI orchestration platforms — deployed by development teams often outside the purview of security operations — were shown to have the same classes of vulnerabilities (SSRF, deserialization, path traversal) that plagued web applications a decade ago.

For Saudi financial institutions adopting AI for fraud detection, customer service automation, and regulatory reporting, this is a wake-up call. These platforms are processing sensitive financial data, PII subject to PDPL, and in some cases making decisions that affect transaction flows. Yet many are deployed with default configurations, minimal network segmentation, and no dedicated monitoring — a gap that SAMA CSCC Domain 3 (Technology) and NCA ECC controls on emerging technology explicitly require organizations to address.

Impact on Saudi Financial Institutions

The products compromised at Pwn2Own are not theoretical targets — they are core infrastructure in most SAMA-regulated environments. Microsoft Exchange handles email for the majority of Saudi banks and insurance companies. SharePoint stores board documents, audit reports, and compliance artifacts. VMware ESXi underpins virtualized data centers across the Kingdom's financial sector. When researchers demonstrate RCE with SYSTEM privileges on Exchange through a crafted email, the implication for Outlook Web Access environments that handle customer communications is immediate.

SAMA CSCC mandates continuous vulnerability management under Domain 2 (Cyber Security Defense) and expects institutions to maintain threat intelligence capabilities under Domain 4 (Third Party Cyber Security). The 90-day disclosure window from ZDI means that between now and mid-August 2026, attackers will be reverse-engineering these patches as they ship. Organizations without a process to deploy critical patches within 72 hours of release — or to implement compensating controls when immediate patching is not feasible — are operating outside the risk tolerance that SAMA expects.

NCA ECC Subcontrol 2-3-1 requires organizations to identify and remediate vulnerabilities in a timely manner. The Pwn2Own results demonstrate that "timely" cannot mean quarterly scanning cycles when weaponized exploits for the same product families appear within hours of patch release. The mean time from CVE publication to working exploit is now approximately 10 hours across tracked vulnerability-exploit pairs in 2026 — a statistic that should drive patch SLA decisions.

Recommendations for Security Teams

1. Track the 90-day ZDI disclosure timeline. Mark August 14, 2026, as the hard deadline. Between now and then, Microsoft, VMware, and other affected vendors will release patches for all 47 vulnerabilities. Build a tracking sheet mapping each Pwn2Own target to your asset inventory and assign patch owners immediately.
2. Audit AI infrastructure as you would any critical application. Identify every LLM proxy, AI orchestration layer, and ML pipeline in your environment. Apply the same controls required by SAMA CSCC for internet-facing applications: network segmentation, authentication hardening, logging, and inclusion in your vulnerability management program.
3. Validate Exchange and SharePoint hardening. The Exchange RCE chain exploited deserialization — a vulnerability class that Web Application Firewalls often miss. Review Extended Protection configurations, disable unnecessary legacy authentication protocols, and ensure OWA is behind a reverse proxy with request inspection capabilities.
4. Reassess virtualization security assumptions. The ESXi cross-tenant exploit means a compromised guest VM can reach the hypervisor and adjacent tenants. If your core banking or payment processing systems share ESXi clusters with less-critical workloads, implement micro-segmentation at the hypervisor level and review VMware's hardening guides against your current configuration.
5. Pressure-test your patch SLA. If your current policy allows 30 days for critical patches, the Pwn2Own results — combined with the 10-hour average exploit development window — suggest that 72 hours for internet-facing and email-adjacent systems is the defensible standard. Document this in your SAMA CSCC Domain 2 controls and test it with a tabletop exercise.

Conclusion

Pwn2Own Berlin 2026 did not reveal new attack categories — it confirmed that the old ones (deserialization, sandbox escapes, authentication bypasses, privilege escalation) remain devastatingly effective against fully patched enterprise products. The addition of AI targets to the competition reflects a reality that most security teams have not yet internalized: AI infrastructure carries the same vulnerability classes as traditional enterprise software but receives a fraction of the security scrutiny. For SAMA-regulated institutions, the next 90 days are a window to get ahead of these disclosures before they become weaponized campaigns.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a targeted review of your exposure to the Pwn2Own 2026 vulnerability disclosures.