Pwn2Own Berlin 2026: Critical Zero-Day Exploits in Microsoft Exchange and Windows 11
Executive Summary
During the second day of Pwn2Own Berlin 2026, security researchers demonstrated 15 unique zero-day vulnerabilities across multiple products, including Microsoft Exchange, Windows 11, and Red Hat Enterprise Linux for Workstations. Notably, Cheng-Da Tsai of the DEVCORE Research Team earned $200,000 by chaining three bugs to achieve remote code execution with SYSTEM privileges on Microsoft Exchange. Additionally, Siyeon Wi exploited an integer overflow bug to hack Windows 11, and Ben Koo of Team DDOS escalated privileges to root on Red Hat Enterprise Linux for Workstations, earning $7,500 and $10,000 respectively. (bleepingcomputer.com)
This incident underscores the persistent vulnerabilities in widely used enterprise software and highlights the critical need for organizations to prioritize timely patching and robust security measures to mitigate the risks associated with zero-day exploits.
Why This Matters Now
The successful exploitation of zero-day vulnerabilities in widely used enterprise software during Pwn2Own Berlin 2026 highlights the urgent need for organizations to prioritize timely patching and robust security measures to mitigate the risks associated with such exploits.
Attack Path Analysis
Attackers exploited zero-day vulnerabilities in Microsoft Exchange and Windows 11 to gain initial access. They escalated privileges to SYSTEM level, moved laterally within the network, established command and control channels, exfiltrated sensitive data, and caused significant operational impact.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited zero-day vulnerabilities in Microsoft Exchange and Windows 11 to gain unauthorized access.
Related CVEs
CVE-2026-42897
CVSS 6.1An improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Affected Products:
Microsoft Exchange Server – 2019, 2016
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Exploitation for Privilege Escalation
Valid Accounts
OS Credential Dumping
Remote Services
Exfiltration Over C2 Channel
Inhibit System Recovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Zero-day exploits targeting Windows 11, Microsoft Exchange, and AI coding agents create critical vulnerabilities in core IT infrastructure and development environments.
Financial Services
Microsoft Exchange and Windows 11 zero-days threaten encrypted communications and privileged access controls essential for regulatory compliance and secure transactions.
Health Care / Life Sciences
Exchange server compromises and privilege escalation attacks risk HIPAA violations through unauthorized access to protected health information and patient data.
Computer Software/Engineering
AI coding agent exploits and container toolkit vulnerabilities directly compromise software development pipelines, source code integrity, and deployment security.
Sources
- Microsoft Exchange, Windows 11 hacked on second day of Pwn2Ownhttps://www.bleepingcomputer.com/news/security/pwn2own-day-two-hackers-demo-microsoft-exchange-windows-11-red-had-enterprise-linux-zero-days/Verified
- CVE-2026-42897: Microsoft confirms active exploitation of Exchange Server zero-dayhttps://securityaffairs.com/192204/security/cve-2026-42897-microsoft-confirms-active-exploitation-of-exchange-server-zero-day.htmlVerified
- Pwn2Own Berlin 2026 - Day One Resultshttps://www.zerodayinitiative.com/blog/2026/5/13/pwn2own-berlin-2026-day-one-resultsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally, escalate privileges, establish command and control channels, and exfiltrate data, thereby reducing the overall impact of the breach.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While initial exploitation may still occur, CNSF could limit the attacker's ability to leverage compromised systems to further infiltrate the network.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could limit the attacker's ability to escalate privileges by enforcing strict access controls and minimizing trust relationships.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security could constrain lateral movement by monitoring and controlling internal traffic flows, thereby limiting unauthorized access to other systems.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control could detect and limit unauthorized command and control communications, thereby reducing the attacker's ability to maintain persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement could restrict unauthorized data exfiltration by controlling outbound traffic, thereby reducing the risk of data loss.
Implementing Aviatrix Zero Trust CNSF could reduce the overall impact of such attacks by limiting the attacker's ability to escalate privileges, move laterally, and exfiltrate data.
Impact at a Glance
Affected Business Functions
- Email Communication
- Calendar Scheduling
- Contact Management
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive corporate emails, including confidential business information and personal data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to limit lateral movement within the network.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities.
- • Utilize Multicloud Visibility & Control to monitor and manage network traffic across cloud environments.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Establish Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious activities promptly.
