Skip to main content
Back to Blog
Pwn2Own Berlin 2026: Researchers Earned $1.3 Million Exploiting 47 Zero-Days
ZERO-DAYMay 20, 20264 min read

Pwn2Own Berlin 2026: Researchers Earned $1.3 Million Exploiting 47 Zero-Days

At Pwn2Own Berlin 2026, competitive security researchers walked away with $1,298,250 in prize money after successfully demonstrating 47 previously unknown vulnerabilities across a range of software targets, according to BleepingComputer. The contest concluded on May 18, 2026, and represents one of the most productive Pwn2Own events in recent memory.

What Happened

Pwn2Own is an annual hacking competition organized by Trend Micro's Zero Day Initiative (ZDI). Participants attempt to exploit fully patched, up-to-date software. When they succeed using a technique the vendor has not seen before, it qualifies as a zero-day. Vendors are then privately notified so they can patch before details become public.

At the Berlin 2026 event, 47 such zero-days were demonstrated across multiple product categories. The $1,298,250 total payout reflects both the volume and severity of the findings. Specific products targeted and technical exploit details had not been fully disclosed at the time of reporting, which is standard practice while vendors work on patches.

Why This Matters to Small Teams

At first glance, a high-profile hacking contest involving elite researchers might seem distant from the reality of a solo developer or a two-person startup. It is not. Every zero-day demonstrated at Pwn2Own represents a flaw that exists right now in software your stack likely depends on. Browsers, operating systems, virtualization platforms, and server software are all typical targets. Your production server, your CI/CD pipeline, and your team's laptops all run this software.

Free Scan

Run the exact check on your domain

See your security score, grade, and a breakdown of what's exposed. Free. Takes under 2 minutes.

Scan my site free →

The important detail about Pwn2Own is the disclosure model. Once vendors receive notification, they race to ship patches. That patch release is itself a signal to the broader attacker community. Reverse-engineering a patch to reconstruct the exploit is a well-known technique. The window between a patch release and active exploitation in the wild can be measured in days or even hours. Small teams that delay routine patching are the ones most exposed during that window.

Small teams also tend to carry more unmanaged attack surface than they realize. A forgotten staging server, an outdated self-hosted tool, a dependency that auto-installed an older version months ago. These are exactly the kinds of targets that get swept up when exploits go from "competition demo" to "mass exploitation" after public disclosure.

How to Stay Protected

  1. Patch immediately after vendor advisories drop. When Pwn2Own results become public and vendors release fixes, treat those patches as urgent. Do not batch them into a monthly maintenance window.

  2. Inventory your software stack. Know every piece of software running on every server and endpoint your team uses. You cannot patch what you do not know exists.

  3. Enable automatic security updates where you can. For operating systems and common runtimes, automated patching reduces the time between patch release and protection.

  4. Reduce your attack surface. Turn off services, ports, and features you do not use. A zero-day in software you are not running cannot hurt you.

  5. Monitor ZDI and vendor security advisories. The Zero Day Initiative publishes advisories as vendors ship fixes. Subscribe to the relevant vendor security channels for software in your stack.

  6. Scan your web-facing assets regularly. Many post-Pwn2Own exploits eventually surface as web-level attacks. Regular external scanning catches misconfigurations and exposed services before attackers do.

How UNPWNED Helps

UNPWNED scans your public-facing web assets for exposed services, outdated software signals, and common misconfigurations that increase your exposure when new exploits go public. While UNPWNED does not perform deep binary exploitation testing, catching an unnecessarily exposed admin panel, an outdated server header advertising an old software version, or missing security headers reduces the footprint that opportunistic attackers can target in the days after a major zero-day disclosure. Regular scans help you stay ahead of the low-hanging-fruit phase of any new exploit wave.

This post was drafted with AI assistance based on authoritative security sources, then published under editorial review.

Source

BleepingComputer

Discussion (0)

Leave a comment

Comments are moderated. Be respectful. Spam and self-promotion will be removed.

Is your site exposed to issues like these?

SCAN YOUR SITE FREE