Zero‑Day Exploits Uncovered at Pwn2Own Berlin 2026 Highlight Critical Vulnerabilities in Microsoft SharePoint, VMware ESXi, Windows 11, Red Hat Enterprise Linux and OpenAI Codex
What Happened — Over three days, the Pwn2Own Berlin 2026 competition yielded 47 unique zero‑day vulnerabilities and $1,298,250 in researcher payouts. The DEVCORE team dominated, chaining two bugs to compromise Microsoft SharePoint for a $100 k prize and securing the “Master of Pwn” title with $505 k in earnings.
Why It Matters for TPRM —
- Zero‑day disclosures can force rapid patch cycles that impact service continuity for downstream vendors.
- Exploited products (SharePoint, ESXi, Windows 11, RHEL, OpenAI Codex) are core components in many third‑party supply chains.
- High‑value payouts signal that the vulnerabilities are both novel and exploitable, raising the risk profile of any organization that relies on these platforms.
Who Is Affected — Cloud‑service providers, enterprise SaaS vendors, managed service providers, and any organization that integrates Microsoft SharePoint, VMware ESXi, Windows 11, Red Hat Enterprise Linux, or OpenAI Codex into its stack.
Recommended Actions —
- Verify that all affected products are patched to the latest vendor releases.
- Review third‑party contracts for clauses on vulnerability disclosure and patch timelines.
- Accelerate vulnerability‑management workflows for any downstream services that consume the affected components.
Technical Notes — The SharePoint compromise involved a chained “two‑bug” exploit (remote code execution via a logic flaw and a privilege‑escalation flaw). Other disclosed bugs targeted memory‑corruption paths in VMware ESXi and kernel‑level flaws in Windows 11 and RHEL. No CVE numbers were assigned at the time of reporting; they will be published by the Zero‑Day Initiative in the coming weeks. Source: Security Affairs