Pwn2Own Day 2: Researchers Earn Over $790,000 Exposing Critical Zero-Day Vulnerabilities
The second day of the prestigious Pwn2Own hacking competition in Vancouver saw an unprecedented display of skill, as security researchers uncovered a staggering 56 unique zero-day exploits in some of the world’s most popular software and hardware. A total of $790,000 was awarded for these critical discoveries, highlighting the vital role ethical hackers play in strengthening global cybersecurity.
The day was marked by successful attacks against high-value targets, including Tesla vehicles, Windows 11, VMware Workstation, and Oracle VirtualBox, proving that even the most well-defended systems can have hidden flaws.
The Automotive Main Event: Tesla Hacked Again
In a highlight of the competition, the Synacktiv team once again demonstrated their mastery by successfully hacking a Tesla Model 3. Their sophisticated exploit targeted the vehicle’s electronic control unit (ECU) through the CAN bus, allowing them to gain control over critical systems. This impressive feat earned them a $200,000 prize and a brand-new Tesla. This demonstration underscores the growing importance of cybersecurity in the automotive industry as vehicles become increasingly connected.
Virtualization and Operating Systems Under Siege
Virtualization platforms, which are crucial for cloud computing and corporate IT, were a primary focus for researchers.
- VMware Workstation Breached: The STAR Labs team executed a complex double-exploit chain against VMware Workstation. They combined a heap-based overflow with a dangling pointer vulnerability to escape the virtual machine and execute code on the host operating system, earning them $130,000.
- Oracle VirtualBox Falls: In another significant virtualization exploit, a researcher successfully compromised Oracle VirtualBox, achieving a “guest-to-host” escape. This type of attack is particularly dangerous as it breaks the fundamental security barrier between a virtual environment and the underlying physical machine.
- Windows 11 Kernel Exploited: Multiple teams successfully targeted the core of Microsoft’s latest operating system. Researchers were able to achieve privilege escalation on Windows 11, gaining SYSTEM-level access—the highest level of control. These exploits often leverage subtle flaws in kernel drivers to bypass security measures, and they were awarded prizes ranging from $30,000 to $100,000 per successful attempt.
Browser Security Put to the Test
Web browsers remain a primary entry point for attackers, and the competition proved they are still a fertile ground for vulnerabilities. Researchers demonstrated successful exploits against all major browsers:
- Google Chrome and Microsoft Edge: Several researchers developed exploits that could compromise both Chrome and Edge, often achieving code execution by bypassing sandbox protections.
- Mozilla Firefox: The competition also saw a successful exploit against Firefox, earning the researcher a $100,000 prize for a complex attack that went from the browser’s renderer process all the way to kernel-level access.
Why This Matters and What You Can Do
The discoveries at Pwn2Own are not just academic exercises; they represent real-world threats that could be used by malicious actors if left undiscovered. The competition provides a controlled environment for these vulnerabilities to be found and reported responsibly to the vendors. Now, companies like Tesla, Microsoft, VMware, and Google have the critical information they need to develop and release security patches.
For end-users and businesses, these events serve as a powerful reminder of the importance of proactive security hygiene.
Actionable Security Tips:
- Enable Automatic Updates: This is the single most important step you can take. When vendors release patches for these vulnerabilities, automatic updates ensure you are protected as quickly as possible.
- Practice the Principle of Least Privilege: Do not run your daily tasks using an administrator account. Using a standard user account can limit the damage an exploit can do.
- Use Reputable Security Software: A modern antivirus or endpoint detection and response (EDR) solution can often detect and block the techniques used in these types of exploits, providing an essential layer of defense.
- Stay Informed: Understanding the types of threats being discovered helps you appreciate the importance of security measures and remain vigilant against phishing or other social engineering tactics that could deliver an exploit.
The Pwn2Own competition continues to prove its value, fostering a collaboration between the world’s top security talent and major technology vendors to make the digital world safer for everyone.
Source: https://www.bleepingcomputer.com/news/security/samsung-galaxy-s25-hacked-on-day-two-of-pwn2own-ireland-2025/
