Windows 11 and Exchange Hacked at Pwn2Own 2026 – Veri Sızıntısı
Live
Search
Company
About Founder's Note Press & Media Privacy Policy Terms of Service FAQ Brand Kit
Products
HUBOne HUBCorp Coming Soon Veri Sızıntısı Android Coming Soon Veri Sızıntısı iOS Coming Soon Veri Sızıntısı Huawei Coming Soon Breach Radar Argus Flow Argus Engine LivePlatform
Technologies
What is Argus AI? Try on HUBOne What is Argus Flow? What is Argus Engine?
Blog Contact

Windows 11 and Exchange Hacked at Pwn2Own 2026

On the second day of the Pwn2Own Berlin 2026 competition, cybersecurity researchers earned $385,750 in awards after successfully exploiting 15 unique zero-day vulnerabilities in Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux.

At Pwn2Own Berlin 2026, researchers won $385,750 for finding 15 new zero-day vulnerabilities in Windows 11, Microsoft Exchange, and RHEL. Details and analysis.

Event Summary

Pwn2Own, one of the most prestigious events in the cybersecurity world, once again hosted breathtaking moments in Berlin in 2026. On the second day of the event, ethical hackers (security researchers) from around the globe engaged in fierce competition to find unknown vulnerabilities in the most widely used software. On May 15, 2026, a total of 15 new and previously unknown (zero-day) vulnerabilities were successfully exploited in critical systems, including Microsoft's flagship operating system Windows 11, its corporate email server Microsoft Exchange, and Red Hat Enterprise Linux. The researchers who uncovered these critical findings were honored with a record total of $385,750 in rewards by Trend Micro's Zero Day Initiative (ZDI) program.

What is Pwn2Own and Why is it Important?

Pwn2Own is a hacking contest that encourages cybersecurity researchers to find and demonstrate previously undiscovered vulnerabilities in popular software and hardware. First held in 2007, the event gets its name from the words "own" (to take control of) and "pwn" (a leetspeak variant of "own"). The primary goal of the competition is to have ethical hackers find these flaws before malicious actors do, and to provide the information to vendors to fix them. This process is called "responsible disclosure." The ZDI pays researchers tens of thousands of dollars for each vulnerability and then privately reports the details to the relevant software company (e.g., Microsoft, Red Hat). Companies typically have a period of 90 to 120 days to fix these vulnerabilities. This proactively eliminates potential dangers that could affect millions of users.

The Technical Aspect and the "Zero-Day" Vulnerability

The most significant concept highlighted at this event is the "zero-day" vulnerability. A zero-day vulnerability is a security flaw that is unknown to the software developer or the public. This means that if an attacker develops an "exploit" (code that takes advantage of the flaw), the software company has "zero days" to release a patch or update to stop the attack. All 15 of the vulnerabilities demonstrated at Pwn2Own fell into this category, meaning that even tech giants like Microsoft and Red Hat were unaware of these security gaps.

Has your email been leaked? Check for free — results in seconds.

Check Now →

Some of the notable exploits demonstrated at the competition included:

  • Windows 11: Researchers discovered a critical flaw in the Windows 11 kernel that allowed them to gain the highest level of privileges (SYSTEM) on the system. Such a vulnerability enables an attacker to take complete control of a computer, run any program, delete files, or create new user accounts.
  • Microsoft Exchange: One of the most alarming findings was a vulnerability chain discovered in Microsoft Exchange server that allowed for Remote Code Execution (RCE). This means an attacker could, over the internet and without any user interaction or credentials, infiltrate an Exchange server to read or modify all emails, or completely take over the server.
  • Red Hat Enterprise Linux (RHEL): A privilege escalation vulnerability was also found in this widely used enterprise operating system. This allows an attacker who has gained low-level user access to the system to exploit the flaw to elevate their privileges to the highest level (root).

These vulnerabilities are often exploited not by a single bug, but by chaining several different security flaws together. This demonstrates the complexity of the attacks and the high level of technical skill possessed by the researchers.

Who Are the Affected Users?

These discovered vulnerabilities potentially affect a very broad user base. The main affected groups include:

  • Individual Windows 11 Users: Millions of personal computers and laptops worldwide are at risk due to these critical vulnerabilities in their operating system.
  • Corporate Enterprises: Companies using Microsoft Exchange servers face a serious threat to the security of their email communications, sensitive data, and internal networks. An attack on an Exchange server could bring a company's entire operations to a halt.
  • Data Centers and Servers: Organizations using Red Hat Enterprise Linux are at risk of unauthorized access and data breaches, particularly within their server infrastructure.

Staying informed about such incidents is crucial for strengthening one's cybersecurity posture. Regularly following Data Breach News sources provides a foundation for a proactive defense strategy for both individual users and organizations.

What Should You Do?

Since the vulnerabilities discovered at Pwn2Own were immediately reported to the respective companies under the responsible disclosure process, there is no need to panic at this moment. However, there are important steps that both individual users and system administrators should take:

  1. Monitor for Updates: Microsoft and Red Hat will release security patches in the coming weeks or months to fix these vulnerabilities. Always keep your operating system and software up to date. Enabling automatic updates is the safest approach.
  2. Use a Firewall and Antivirus: A strong firewall and an up-to-date antivirus software provide an additional layer of protection against unknown threats.
  3. Practice Basic Security Hygiene: Avoid clicking on links in suspicious emails or downloading files from unknown sources. Use strong, unique passwords and enable multi-factor authentication (MFA) wherever possible.
  4. For System Administrators: Until patches are released, closely monitor network intrusion detection/prevention systems (IDS/IPS) and security information and event management (SIEM) tools. Detecting suspicious network activity can help you stop a potential attack in its early stages.

Companies' Response

Due to the nature of the competition, companies like Microsoft and Red Hat have not yet made public statements, as the vulnerabilities were privately disclosed to them by the ZDI. These companies will work with their engineering teams to develop patches within the timeframe allotted by the ZDI. Once the patches are ready, they will be announced and distributed to users, typically through their monthly security update bulletins (such as Microsoft's "Patch Tuesday" updates). In this way, the Pwn2Own event makes a significant contribution to making the entire cyber ecosystem safer.

Kaynak

https://www.bleepingcomputer.com/news/security/pwn2own-day-two-hackers-demo-microsoft-exchange-windows-11-red-had-enterprise-linux-zero-days/

Share This Article
X LinkedIn WhatsApp
← Previous Post American Lending Center Data Breach Affects 123,000 People Next Post → Esse Health to Pay $2.53 Million for Data Breach Settlement

Weekly Newsletter

Curated data breach news delivered to your inbox every week.