The third and final day of Pwn2Own 2025 in Berlin closed with major wins for security researchers, exposing critical zero-day vulnerabilities in Windows 11, VMware ESXi, and Mozilla Firefox. The event, organized by OffensiveCon, awarded over $1 million in total prize money—highlighting the urgent need for vendors to address these newly discovered threats.
Major Exploits on Day 3
Firefox Browser Breach
Former Master of Pwn Manfred Paul demonstrated an integer overflow vulnerability in Firefox’s rendering engine, earning $50,000 and 5 Master of Pwn points. This exploit, though limited to the renderer process, underscores how modern browsers remain a high-value target for attackers.
Windows 11 Privilege Escalation
Two successful exploits targeted Windows 11:
- Miloš Ivanović showcased a race condition to escalate privileges to SYSTEM level, winning $15,000.
- A member of the DEVCORE Research Team exploited a privilege escalation bug—although one of the bugs was already known to Microsoft, which reduced the payout.
These attacks emphasize that even the latest versions of Windows can be vulnerable to sophisticated privilege escalation techniques.
VMware ESXi and Workstation Compromised
Virtualization platforms were another focal point on Day 3:
- Corentin BAYET (Reverse_Tactics) used an integer overflow and uninitialized variable bug to breach VMware ESXi, earning $112,500.
- Thomas Bouzerar and Etienne Helluy-Lafont (Synacktiv) exploited a heap-based buffer overflow in VMware Workstation, receiving $80,000 and 8 Master of Pwn points.
These vulnerabilities could enable malicious users to escape virtual environments or disrupt enterprise workloads.
STAR Labs SG Takes the Crown
STAR Labs SG claimed the Master of Pwn title, taking home $320,000 and scoring 35 points across multiple categories.
A standout exploit involved:
- A TOCTOU (Time-of-Check-to-Time-of-Use) race condition to escape a virtual machine.
- Combined with an improper validation of array index vulnerability, the team escalated privileges in Windows.
The attack earned $70,000 and 9 points, showcasing expert chaining of vulnerabilities across platforms.
Despite their dominance, STAR Labs failed to exploit NVIDIA’s Triton Inference Server, proving that even top-tier researchers face limits in this complex threat landscape.
Pwn2Own 2025 Recap: Milestones and Metrics
- Total Prize Pool: $1,078,750
- Final Day Awards: $383,750
- Unique Zero-Days Disclosed: 28
- AI Exploits: 7
- Top Payout: $112,500 (VMware ESXi by BAYET)
- Top Team: STAR Labs SG
This year’s Pwn2Own emphasized the economic and defensive value of proactive security research. The disclosed vulnerabilities are already being patched by vendors, reinforcing the critical role of cooperative cybersecurity events.
The Future of Exploit Discovery
Pwn2Own continues to demonstrate that even hardened platforms like Windows 11 and VMware are susceptible to unknown attacks. The rising number of AI-related vulnerabilities also highlights how emerging technologies are becoming part of the attack surface.
Events like this serve as a collaborative firewall, giving vendors time to patch flaws before they can be exploited in the wild.
Related: Understanding Zero-Day Exploits
