Pwn2Own Berlin 2026 Highlights Major Exploits as Zero-Days and Breaches Surge
The second and third days of Pwn2Own Berlin 2026 saw researchers earn $385,750 in bounties, pushing the event’s total payout to $1.298 million. Among the notable exploits, Microsoft Exchange Server was successfully compromised, contributing to the growing tally. DEVCORE was crowned "Master of Pwn" after demonstrating multiple high-impact vulnerabilities.
In parallel, Chaotic Eclipse disclosed MiniPlasma, a zero-day in Windows, suggesting an incomplete or overlooked security fix from 2020. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Microsoft Exchange Server flaw and a Cisco Catalyst SD-WAN vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation risks.
A critical 18-year-old flaw (CVE-2026-42945) in NGINX, the world’s most widely deployed web server, was also uncovered, with experts warning of ongoing attacks. Meanwhile, Grafana confirmed a GitHub token breach after a cybercrime group claimed responsibility, while ShinyHunters breached 7-Eleven, exposing franchisee data and Salesforce records.
Additional incidents included:
- A public Amazon S3 bucket leaking sensitive guest data from Japanese hotel platform Tabiq.
- OpenAI suffering a supply chain attack via malicious TanStack packages.
- Broadcom releasing a security update for a VMware Fusion root access bug.
- The Ghostwriter group resuming cyberattacks on Ukrainian government targets.
- Researchers identifying YellowKey and GreenPlasma, two new Windows zero-days.
- A Linux Kernel bug (Fragnesia) enabling local root access attacks.
- Attackers exploiting a Funnel Builder vulnerability to inject e-skimmers into e-commerce stores.
The event underscored persistent threats across enterprise software, cloud services, and critical infrastructure, with zero-days and supply chain attacks remaining dominant vectors.
Broadcom cybersecurity rating report: https://www.rankiteo.com/company/broadcom
Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center
7-Eleven cybersecurity rating report: https://www.rankiteo.com/company/7-eleven
NGINX cybersecurity rating report: https://www.rankiteo.com/company/nginx
Cisco cybersecurity rating report: https://www.rankiteo.com/company/cisco
"id": "BROMIC7-ENGICIS1779164825",
"linkid": "broadcom, microsoft-security-response-center, 7-eleven, nginx, cisco",
"type": "Vulnerability",
"date": "1/2020",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Software',
'location': 'Global',
'name': 'Microsoft',
'size': 'Enterprise',
'type': 'Technology'},
{'industry': 'Networking',
'location': 'Global',
'name': 'Cisco',
'size': 'Enterprise',
'type': 'Technology'},
{'industry': 'Web Server',
'location': 'Global',
'name': 'NGINX',
'size': 'Enterprise',
'type': 'Technology'},
{'industry': 'Virtualization',
'location': 'Global',
'name': 'VMware (Broadcom)',
'size': 'Enterprise',
'type': 'Technology'},
{'industry': 'Data Visualization',
'location': 'Global',
'name': 'Grafana',
'size': 'Enterprise',
'type': 'Technology'},
{'customers_affected': 'Franchisees',
'industry': 'Convenience Stores',
'location': 'Global',
'name': '7-Eleven',
'size': 'Enterprise',
'type': 'Retail'},
{'industry': 'AI',
'location': 'Global',
'name': 'OpenAI',
'size': 'Enterprise',
'type': 'Technology'},
{'customers_affected': 'Guests',
'industry': 'Hotel Platform',
'location': 'Japan',
'name': 'Tabiq',
'size': 'SME',
'type': 'Hospitality'}],
'attack_vector': ['Exploited Vulnerability',
'Malicious Packages',
'Misconfigured Cloud Storage',
'Phishing'],
'data_breach': {'data_exfiltration': ['Yes (ShinyHunters, Ghostwriter group)'],
'personally_identifiable_information': ['Yes'],
'sensitivity_of_data': ['High'],
'type_of_data_compromised': ['GitHub Tokens',
'Franchisee Data',
'Salesforce Records',
'Guest Data',
'PII']},
'date_publicly_disclosed': '2026',
'description': 'The second and third days of Pwn2Own Berlin 2026 saw '
'researchers earn $385,750 in bounties, pushing the event’s '
'total payout to $1.298 million. Notable exploits included '
'compromises of Microsoft Exchange Server, Windows zero-days, '
'and critical flaws in NGINX, VMware, and other enterprise '
'software. Multiple breaches and supply chain attacks were '
'also reported, including incidents involving Grafana, '
'7-Eleven, OpenAI, and a Japanese hotel platform.',
'impact': {'brand_reputation_impact': ['Grafana',
'7-Eleven',
'OpenAI',
'Tabiq'],
'data_compromised': ['GitHub tokens',
'Franchisee data',
'Salesforce records',
'Guest data (Tabiq)',
'Personally Identifiable Information'],
'financial_loss': '$385,750 (bounties paid) + $1.298 million '
'(total payout)',
'identity_theft_risk': ['High (PII exposed)'],
'operational_impact': ['Service Disruption',
'Unauthorized Access',
'Data Exfiltration'],
'payment_information_risk': ['High (e-skimmers injected)'],
'systems_affected': ['Microsoft Exchange Server',
'Windows OS',
'NGINX',
'Cisco Catalyst SD-WAN',
'VMware Fusion',
'Grafana',
'7-Eleven systems',
'OpenAI (via TanStack packages)',
'E-commerce stores (via e-skimmers)']},
'initial_access_broker': {'data_sold_on_dark_web': ['Yes (ShinyHunters)']},
'investigation_status': 'Ongoing',
'lessons_learned': 'Persistent threats across enterprise software, cloud '
'services, and critical infrastructure highlight the need '
'for robust vulnerability management, supply chain '
'security, and proactive monitoring of zero-days.',
'motivation': ['Financial Gain',
'Cyber Espionage',
'Data Theft',
'Demonstration of Exploits'],
'post_incident_analysis': {'corrective_actions': ['Release security patches '
'(e.g., Broadcom/VMware).',
'Add vulnerabilities to '
'CISA KEV catalog for '
'prioritized remediation.',
'Improve supply chain '
'vetting processes.',
'Enhance monitoring for '
'zero-day exploitation.'],
'root_causes': ['Unpatched vulnerabilities (e.g., '
'18-year-old NGINX flaw).',
'Supply chain attacks (e.g., '
'malicious TanStack packages).',
'Misconfigured cloud storage '
'(e.g., public Amazon S3 bucket).',
'Zero-day exploits (e.g., '
'MiniPlasma, YellowKey).']},
'recommendations': ['Patch known vulnerabilities immediately (e.g., '
'CVE-2026-42945, Microsoft Exchange flaws).',
'Enhance supply chain security (e.g., vet third-party '
'packages like TanStack).',
'Implement strict cloud storage configurations (e.g., '
'secure Amazon S3 buckets).',
'Monitor for zero-day exploits and emerging threats '
'(e.g., MiniPlasma, YellowKey).',
'Adopt network segmentation and enhanced monitoring for '
'critical systems.'],
'references': [{'source': 'Pwn2Own Berlin 2026'},
{'source': 'CISA Known Exploited Vulnerabilities Catalog'},
{'source': 'Grafana Security Advisory'},
{'source': 'ShinyHunters Breach Disclosure'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA KEV catalog '
'additions']},
'response': {'remediation_measures': ['Security updates released '
'(Broadcom/VMware)',
'CISA KEV catalog additions']},
'threat_actor': ['DEVCORE',
'Chaotic Eclipse',
'ShinyHunters',
'Ghostwriter group'],
'title': 'Pwn2Own Berlin 2026 Highlights Major Exploits and Cyber Incidents',
'type': ['Zero-day Exploit',
'Data Breach',
'Supply Chain Attack',
'Ransomware'],
'vulnerability_exploited': ['CVE-2026-42945 (NGINX)',
'Microsoft Exchange Server flaw',
'Cisco Catalyst SD-WAN vulnerability',
'VMware Fusion root access bug',
'Funnel Builder vulnerability',
'Linux Kernel bug (Fragnesia)',
'MiniPlasma (Windows zero-day)',
'YellowKey (Windows zero-day)',
'GreenPlasma (Windows zero-day)']}