Security researchers exploited 24 zero-day vulnerabilities in Microsoft's Windows 11 and Edge browser on the first day of Pwn2Own Berlin 2026, collecting $523,000 in prize money.
The annual hacking competition saw rapid success as participants demonstrated critical flaws across Microsoft's flagship operating system and web browser. The $523,000 in awards distributed on day one reflects the severity and value of the vulnerabilities discovered.
Pwn2Own Berlin 2026 brings together elite security researchers from around the world to identify and responsibly disclose zero-day exploits. The competition incentivizes researchers to find bugs before malicious actors can weaponize them, with substantial cash rewards based on vulnerability severity and complexity.
The 24 zero-days found represent a significant number of previously unknown security gaps. Windows 11 and Edge remain primary targets at the event due to their widespread deployment across consumer and enterprise environments. Researchers demonstrating successful exploitation earn recognition and financial rewards while providing Microsoft with detailed technical information needed to develop patches.
Microsoft typically works with competition organizers and researchers to understand each vulnerability's scope and develop fixes. The company has a history of addressing zero-days discovered at Pwn2Own events through regular security updates.
Pwn2Own Berlin continues through multiple days, with additional categories covering other software and hardware platforms. Past editions have revealed vulnerabilities in browsers, operating systems, virtual machines, and IoT devices.
The discovery of these vulnerabilities at a controlled event allows Microsoft and security researchers to collaborate on fixes before attackers gain access to exploit code. Participants sign agreements ensuring responsible disclosure practices and preventing the premature public release of exploit details.
For enterprise users and Windows 11 adopters, the findings underline the importance of maintaining current patch levels and security practices. Microsoft's regular update cycle allows users to receive fixes for reported vulnerabilities within standard servicing timelines.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.
Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.
A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.