Zero‑Day Exploits on Microsoft Exchange and Windows 11 Unveiled at Pwn2Own Berlin 2026
What Happened – During day 2 of the Pwn2Own Berlin 2026 competition, researchers chained three previously unknown vulnerabilities to achieve remote code execution with SYSTEM privileges on Microsoft Exchange, and an integer‑overflow bug was used to gain arbitrary code execution on a fully patched Windows 11 workstation.
Why It Matters for TPRM –
- Zero‑day flaws in core email and OS platforms indicate a high likelihood of future weaponisation against enterprise customers.
- Vendors have a 90‑day remediation window; organizations must verify patch timelines and compensating controls.
- Demonstrated exploits bypass typical hardening, highlighting gaps in existing security baselines.
Who Is Affected – Enterprises that rely on Microsoft Exchange (cloud‑hosted or on‑prem) and Windows 11 endpoints across all sectors, especially those with remote‑access or web‑mail exposure.
Recommended Actions –
- Confirm that your Microsoft Exchange deployments are running the latest security patches; track vendor advisory for CVE assignments.
- Accelerate Windows 11 patch management and enforce application‑allow‑list policies.
- Review and strengthen network segmentation and monitoring for anomalous Exchange traffic.
Technical Notes – The Exchange chain combined a remote code execution bug, a privilege‑escalation flaw, and a logic error to obtain SYSTEM rights. The Windows 11 issue is an integer overflow in a privileged service that enables arbitrary code execution. Both exploits required no user interaction and worked on fully updated systems. Source: BleepingComputer