Pwn2Own Berlin 2026: 15 unpublished vulnerabilities, $385,750 and the new IA vector that raises operational risk

The second day of Pwn2Own Berlin 2026 made it clear that business security and artificial intelligence are at the centre of modern risk: 15 unpublished vulnerabilities awarded with a total of $385,750 and affecting critical products such as Windows 11, Microsoft Exchange and Red Hat Enterprise Linux for Workstations shows that even large-scale, parched systems remain valid targets for sophisticated attacks.

Beyond the amounts, the relevant is the nature of the findings. Researchers like Orange Tsai made commitments by Fault chairing to get remote execution with SYSTEM privileges in Exchange; others got root in RHEL or exploded NVIDIA container toolkits. That pattern - individual failures that, combined, scale to total commitment - makes it clear that prevention cannot be limited to a single layer: it is necessary in-depth defence and controls that mitigate impact when one of the links fails.

A second emerging vector in Berlin was that of the agents and tools of IA. Explosits for coding agents (Cursor AI, OpenAI Codex) and specific categories in Pwn2Own show that models and their operational integrations are new operating vectors with practical consequences. This is not just a privacy or model problem: it is operational risk when these agents have permission to run code or interact with sensitive infrastructure.

The competition also recalls the framework for the dissemination of the Zero Day Initiative: the organizers demand demonstrations in fully-@-@-@-@ parked objectives and grant suppliers up to 90 days to issue patches after notification. This rule accelerates responses and coordinates disclosures, but does not guarantee the immediate protection of organizations that already use the products concerned. Security teams should treat these findings as early signs and not wait for the patch to act.

For IT and cybersecurity equipment in companies, the recommended actions are clear: prioritizing visibility and containment. Updating and applying patches is essential, but it is also essential to deploy compensatory mitigation - network segmentation, restriction of administrative access, tightening of Exchange servers and use of EDR / IDS rules that detect known operating chains. In container and GPus environments, reviewing the implementation policies and the privileges of the container runtime can prevent a local vulnerability from resulting in host access.

As for IA agents, it is vital to reduce their privilege footprint: to run coding agents in isolated environments, to limit automatic execution permits, to audit prompts and logs, and to apply strict controls on which repositories or systems they can handle. It is not enough to rely on the agent's supplier; the integration and deployment policies determine the real risk.

Pwn2Own works as a stress test for the software supply chain: it forces manufacturers to correct and the community to improve detections. To keep up to date, I recommend to consult the official publications of the initiative and the responses of suppliers, and to adapt the planning priorities based on risk and active exploitation. More information and technical details of the results are available in ZDI's official note on day two: https: / / www.zerodayinitiative.com / blog / 2026 / 5 / 15 / pwn2own-berlin-2026-day-two-results, and for Microsoft product-dependent organizations it is appropriate to follow the guides and notices at the Microsoft Security Response Center: https: / / msrc.microsoft.com /.

Finally, the practical lesson is that public tests like Pwn2Own are useful not for the show, but because they reveal real vectors that evade daily controls. The defenses that work today are those that assume that there will be unknown failures tomorrow: rapid detection, segmentation, minimum privileges and proven response plans.