Microsoft Exchange, Windows 11, and Cursor Zero-Days Exploited on Pwn2Own Day 2
Cybersecurity NewsArchived May 16, 2026✓ Full text saved
Pwn2Own Berlin 2026 is rapidly escalating into one of the most intense offensive security contests in recent years, with Day Two delivering a fresh wave of critical zero-day exploits targeting enterprise software, AI tools, and operating systems. Security researchers demonstrated real-world attack scenarios against high-value targets, including Microsoft Exchange, Windows 11, and AI coding platforms, […] The post Microsoft Exchange, Windows 11, and Cursor Zero-Days Exploited on Pwn2Own Day 2 app
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Microsoft Exchange, Windows 11, and Cursor Zero-Days Exploited on Pwn2Own Day 2
By Dhivya
May 16, 2026
Pwn2Own Berlin 2026 is rapidly escalating into one of the most intense offensive security contests in recent years, with Day Two delivering a fresh wave of critical zero-day exploits targeting enterprise software, AI tools, and operating systems.
Security researchers demonstrated real-world attack scenarios against high-value targets, including Microsoft Exchange, Windows 11, and AI coding platforms, highlighting the growing attack surface in modern environments.
Following a strong opening day, the second day added $385,750 in rewards for 15 new zero-day vulnerabilities, pushing the total to $908,750 and 39 unique bugs discovered so far. DEVCORE continues to dominate the leaderboard, largely due to a high-impact Microsoft Exchange compromise.
Microsoft Exchange RCE Steals the Spotlight
The most significant exploit of the day came from Orange Tsai of DEVCORE, who chained three vulnerabilities to achieve remote code execution (RCE) with SYSTEM privileges on Microsoft Exchange, as reported by Zero Day Initiative.
Microsoft Exchange Exploited (Source: Zero Day Initiative)
This full-chain attack earned $200,000 and 20 Master of Pwn points, making it the highest-value exploit of the event so far.
This type of attack is particularly dangerous because Exchange servers often sit at the core of enterprise communication. A successful RCE allows attackers to control email infrastructure fully, potentially enabling espionage, lateral movement, and data exfiltration.
For example, in a real-world scenario, an attacker exploiting Exchange could silently access internal emails, deploy malware, or impersonate executives in phishing campaigns.
Windows 11 and Linux Privilege Escalations
Operating systems were also heavily targeted. Siyeon Wi successfully exploited an integer overflow vulnerability in Windows 11, gaining elevated privileges and earning $7,500.
Windows 11 Exploited (Source: Zero Day Initative)
While smaller in payout, such bugs are critical because they can turn limited access into full system control.
On the Linux side, Ben Koo of Team DDOS exploited a use-after-free flaw to escalate privileges on Red Hat Enterprise Linux, reinforcing the fact that memory safety issues continue to plague core systems.
Linux exploited (Source: Zero Day Initative)
AI and developer-focused tools emerged as major targets this year. Notably:
Cursor IDE was successfully exploited twice by different teams, confirming multiple vulnerabilities in AI-assisted coding environments.
OpenAI Codex was compromised by the Summoning Team using a novel exploit chain.
LM Studio was the victim of a code-injection attack by OtterSec researchers.
These findings underline a key trend: AI-powered development tools are becoming high-value targets due to their access to source code and developer workflows.
Not all attempts were successful. Exploits targeting Apple Safari, Microsoft SharePoint, and Mozilla Firefox failed during execution, showing the increasing difficulty of reliable exploitation even when vulnerabilities are known.
Meanwhile, several entries resulted in “collision” outcomes, where researchers demonstrated valid exploits using previously discovered bugs. While still rewarded, these highlight overlapping research efforts within the security community.
With one day remaining, DEVCORE leads with 40.5 points and $405,000, but the race for “Master of Pwn” is still open. As more zero-days are expected, vendors, including Microsoft, Red Hat, and AI platform providers, will race to patch newly exposed vulnerabilities.
Pwn2Own Berlin continues to demonstrate how quickly attackers can chain multiple bugs into devastating exploits, offering defenders a critical early warning of what could soon appear in the wild.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Linux
Microsoft
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Dhivyahttps://cybersecuritynews.com/
Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.
Trending News
TrickMo Android Banking Malware Targets Banking, Wallet, and Authenticator Apps
Popular Go Library fsnotify Raises Supply Chain Alarms After Maintainer Access Changes
Amazon Redshift JDBC Driver Vulnerabilities Enables Remote Code Execution Attacks
Cisco Catalyst SD-WAN Controller 0-Day Actively Exploited to Gain Admin Access
Android 16 VPN Bypass Lets Malicious Apps Reveal Users Real IP Address
Latest News
Cyber Security News
Malicious JPEG Images Could Trigger PHP Memory Safety Vulnerabilities
Cyber Security News
Critical Linux Kernel Flaw ‘ssh-keysign-pwn’ Exposes SSH Keys and Shadow Passwords
Cyber Security News
Google Project Zero Discloses Zero-Click Exploit Chain for Pixel 10 Devices
Android
Android 16 VPN Bypass Lets Malicious Apps Reveal Users Real IP Address
Cyber Security News
Gunra Ransomware Expands RaaS Operations After Shifting From Conti-Based Locker