Full Report
During the second day of Pwn2Own Berlin 2025, competitors earned $435,000 after exploiting zero-day bugs in multiple products, including Microsoft SharePoint, VMware ESXi, Oracle VirtualBox, Red Hat Enterprise Linux, and Mozilla Firefox. [...]
Analysis Summary
This summary is based on the context provided regarding vulnerabilities demonstrated or discussed during the Pwn2Own Berlin 2025 competition. Specific CVEs and exact severity scores are not detailed for all mentioned flaws, as they are contextually presented as demonstrations of *zero-day* exploits during a contest.
# Vulnerability: Zero-Day Exploits Demonstrated at Pwn2Own Berlin 2025
## CVE Details
- CVE ID: Not explicitly assigned for all described flaws at the time of reporting (as they are active zero-days demonstrated at the event). Mentions include vulnerabilities in VMware ESXi, Microsoft SharePoint, Windows 11, Red Hat Linux, and Oracle VirtualBox.
- CVSS Score: Not provided for all specific flaws, but contextually implies High severity due to successful zero-day exploitation.
- CWE: Not specified for all flaws.
## Affected Systems
- Products: VMware ESXi, Microsoft SharePoint, Windows 11, Red Hat Linux, Oracle VirtualBox, Mozilla Firefox, Nvidia Triton Inference Server, Nvidia Container Toolkit, Redis, SAP NetWeaver.
- Versions: Specific vulnerable versions are not detailed; the contest focuses on exploiting *fully patched* products.
- Configurations: Exploits target enterprise technologies across virtualization, servers, operating systems, and AI categories.
## Vulnerability Description
The article describes several zero-day vulnerabilities exploited during the Pwn2Own Berlin 2025 hacking competition. Specific examples of successful exploitation include:
* A chain of vulnerabilities leading to compromise of **VMware ESXi**.
* Exploitation of **Microsoft SharePoint** zero-days.
* Successful exploitation of **Windows 11** and **Red Hat Linux**.
* An **Oracle VirtualBox** guest-to-host escape utilizing an out-of-bounds write.
* A **Use-After-Free (UAF) zero-day** targeting **Redis**.
* A chain of four flaws targeting **Nvidia's Triton Inference Server**.
## Exploitation
- Status: **Exploited in the wild** (in the context of the competition, demonstrating in-the-wild capability).
- Complexity: Implies **Medium to High** as demonstrations required chaining multiple flaws or complex root causes (e.g., UAF, OOB write) in fully patched systems.
- Attack Vector: Varies by product, likely including **Network** (SharePoint, ESXi, Redis) and potentially **Local/Privilege Escalation** (OS/Virtualization targets).
## Impact
- Confidentiality: High (Implied by successful remote exploits on server/virtualization platforms).
- Integrity: High (Implied by successful remote exploits allowing code execution or system takeover).
- Availability: Medium to High (Depending on the specific vulnerability, leading to potential system denial or crash).
## Remediation
### Patches
- Patches are expected to be released by vendors within 90 days of disclosure at Pwn2Own, before Trend Micro's Zero Day Initiative publishes technical details.
- Specific fixed versions are **not listed** as the article is reporting *on* the active exploitation attempts.
### Workarounds
- No specific workarounds are detailed in the provided context. General mitigation for zero-days involves enhanced network monitoring and strict access controls until patches are released.
## Detection
- **Indicators of Compromise (IOCs):** Not specified, but typical indicators for these technologies should be monitored, such as unexpected process execution, unauthorized system calls, or anomalous network traffic related to the exploited services (ESXi management interfaces, SharePoint application pools, Redis queries).
- **Detection methods and tools:** General defense against zero-days includes real-time endpoint detection and response (EDR) tailored for the affected products and active monitoring for MITRE ATT&CK techniques often associated with these exploits (information gathering, execution, persistence). *Note: The article references external research on the Top 10 MITRE ATT&CK Techniques.*
## References
- Vendor advisories: Pending disclosure timeline following Pwn2Own.
- Relevant links - defanged:
- bleepingcomputer com/news/security/hackers-exploit-vmware-esxi-microsoft-sharepoint-zero-days-at-pwn2own/
- bleepingcomputer com/news/security/windows-11-and-red-hat-linux-virtualbox-hacked-on-first-day-of-pwn2own/
- zerodayinitiative com/blog/2025/2/24/announcing-pwn2own-berlin-2025
- zerodayinitiative com/blog/2025/5/14/pwn2own-berlin-the-full-schedule#day3