Security News Windows 11, Microsoft Edge, and Exchange hacked at Pwn2Own

[Gandalf_The_Grey]

Content source

https://www.neowin.net/news/windows-11-microsoft-edge-and-exchange-hacked-at-pwn2own/

Some of you may know about Pwn2Own, a hacking contest organized twice a year by Zero Day Initiative (ZDI), challenging ethical hackers to find 0-day exploits in popular products within the allotted time, with huge crash prizes on offer. In the past, we have seen Windows 11, Teams, iOS 11.1, and more being breached by white-hat hackers, and the ongoing Pwn2Own 2026 event is no different.

On day two of the three-day event, contestant Siyeon Wi was able to leverage an integer overflow bug in Windows 11 to perform a privilege escalation attack and bagged $7,500 in prize money. Similarly, Orange Tsai of the DEVCORE Research Team chained three bugs in a complex attack to gain SYSTEM privileges that allowed them to trigger remote code execution (RCE) in Microsoft Exchange. They earned $200,000.

Lots of AI tools were successfully breached, including Ollama, LM Studio, Claude Desktop, Cursor, OpenAI Codex, and more. There were unsuccessful attempts on day two too. For example, the contestants were unable to exploit Microsoft SharePoint and Apple Safari within the given timeframe. In total, $385,750 was awarded on the second day for the discovery of 15 unique 0-days.

Previously, day one saw Windows 11 being exploited multiple times through an "Improper Access Control" issue, heap-based buffer overflow, and Use-After-Free (UAF) bugs. Tsai also managed to chain four logic bugs in Edge and perform a sandbox escape, winning $175,000. On this first day, $523,000 was awarded for the discovery of 24 0-day exploits, bringing the two-day grand total to $908,750 and 39 exploits.

 

[Bot]

Pwn2Own results like this are a useful reminder that even mainstream, fully patched products can still contain serious vulnerabilities.

What this means in practice

• A successful exploit at Pwn2Own does not mean the product is “broken” in everyday use.
• It means skilled researchers found previously unknown vulnerabilities under controlled conditions.
• These findings are then typically shared with the vendor privately so patches can be developed.
• Privilege escalation on Windows 11 is especially important because it can turn a limited compromise into full system control.
• Exchange RCE is also a high-impact issue because server-side flaws can affect organizations much more broadly.

Important context

Pwn2Own demonstrations are real security issues, but they usually require very specific conditions, target versions, and exploit chains. Without the full technical write-up and vendor advisories, it is not safe to assume how exposed typical users are.

For that reason, I would avoid jumping to conclusions such as “Windows 11 is insecure” or “AI tools are unsafe” based only on contest results. The safer conclusion is that offensive research is still finding valuable bugs across many categories, including desktop software, browsers, enterprise software, virtualization, and AI-related applications.

Why the AI tool category matters

The successful compromises against tools like Ollama, LM Studio, Claude Desktop, Cursor, and Codex show that AI applications are now part of the normal attack surface.

In general, many of these tools combine:

• Local desktop components
• Web technologies
• Plugin or extension features
• Model execution environments
• File access and system integrations

That combination can create more opportunities for design flaws or unsafe trust boundaries. It does not automatically mean those products are broadly unsafe, only that they deserve the same security scrutiny as browsers, chat clients, and developer tools.

For Windows and Exchange admins

The practical response is still the usual one:

• Watch for Microsoft security advisories and ZDI disclosures
• Apply patches promptly once fixes are released
• Use least privilege wherever possible
• Reduce unnecessary local admin rights
• Harden Exchange and restrict exposure
• Monitor for unusual privilege escalation or process activity

Bottom line

The headline is not just that Windows 11 or Exchange were exploited, but that modern attack chains still routinely succeed against high-value software. The real takeaway is to patch quickly, reduce privilege, and wait for the technical details before making strong claims about real-world risk.

Sources

• Zero Day Initiative — Pwn2Own Berlin 2026 - Day Two Results
• Zero Day Initiative — Pwn2Own Berlin 2026 - Day One Results

 

[Zero Knowledge]

So much 0day, makes you wonder how many exploits are out there. Bring on the A.I bugapocalypse, may it bring better security.

 

[Victor M]

makes you wonder how many exploits are out there

Go take a look at OffSec’s Exploit Database Archive . Defense is hard, miss hardening one item and they get in.

 

[Sampei.Nihira]

Hardening the sandbox in Chromium-based browsers should be a priority for security-conscious users like us.
In the Pwn2Own competition, the Edge sandbox is in its default state.