Zero-Day Exploits Hit Windows 11, VMware ESXi, and Firefox

The Pwn2Own Berlin 2025 last day ended with impressive technological accomplishments, bringing the total prize money over one million dollars.

Security researchers demonstrated sophisticated exploitation techniques against high-profile targets including Windows 11, VMware ESXi, and Mozilla Firefox, revealing critical zero-day vulnerabilities that vendors must now address.

The three-day hacking competition showcased 28 unique zero-day vulnerabilities, with researchers earning $1,078,750 in total prizes.

Day 3 featured several significant zero-day exploits against major platforms.

Former Master of Pwn winner Manfred Paul successfully exploited Mozilla Firefox using an integer overflow vulnerability in the rendering engine, earning $50,000 and 5 Master of Pwn points.

This renderer-only exploit demonstrated how sophisticated attackers might compromise systems through browser vulnerabilities.

Windows 11 security was breached twice during the day.

Miloš Ivanović demonstrated a race condition vulnerability to escalate privileges to SYSTEM level in the final attempt of the competition, earning $15,000.

Earlier, a DEVCORE Research Team member successfully demonstrated privilege escalation on Windows 11, though one of the two bugs used was already known to Microsoft.

VMware’s virtualization products proved vulnerable as well. Corentin BAYET from Reverse_Tactics exploited VMware ESXi using an integer overflow vulnerability and a previously reported uninitialized variable bug, earning $112,500 despite the partial collision.

Additionally, Thomas Bouzerar and Etienne Helluy-Lafont from Synacktiv successfully exploited VMware Workstation through a heap-based buffer overflow, netting $80,000 and 8 Master of Pwn points.

STAR Labs SG Claims

STAR Labs SG emerged as the overall winner, claiming the prestigious Master of Pwn title with $320,000 in earnings and 35 points.

Their team demonstrated exceptional technical prowess across multiple categories.

In one particularly impressive demonstration, team members Dung and Nguyen exploited a time-of-check-to-time-of-use (TOCTOU) race condition to escape a virtual machine, combining it with an improper validation of array index vulnerability to escalate privileges in Windows.

This complex attack chain earned them $70,000 and 9 Master of Pwn points.

However, not all attempts were successful. The STAR Labs team failed to exploit NVIDIA’s Triton Inference server within the allotted time frame, highlighting the challenging nature of the competition even for elite researchers.

Highlights of a Record-Breaking Prize Pool

According to the Report, The 2025 Berlin event marked a significant milestone with $1,078,750 awarded across three days-$383,750 on the final day alone.

This record-breaking prize pool underscores the growing importance and economic value of security research in an increasingly connected world.

Of the 28 unique zero-days purchased and disclosed during the event, seven came from the AI category, reflecting the expanding attack surface as artificial intelligence systems become more prevalent.

The competition format continues to serve as an effective mechanism for identifying critical vulnerabilities before malicious actors can exploit them.

The event, hosted by OffensiveCon, brought together elite security researchers and vendors in a cooperative framework that benefits the entire technology ecosystem.

Vendors have already begun addressing the disclosed vulnerabilities, demonstrating the event’s practical impact on improving digital security for users worldwide.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!