Post

Pwn2Own Berlin 2025 Day Two: Researcher Earns $150K Hacking VMware ESXi

Posted
By Tom Grant
2 min read
Pwn2Own Berlin 2025 Day Two: Researcher Earns $150K Hacking VMware ESXi

TL;DR

On day two of Pwn2Own Berlin 2025, participants earned $435,000 by demonstrating zero-day exploits in various products, including VMware ESXi, Microsoft SharePoint, and Mozilla Firefox. Nguyen Hoang Thach of STARLabs SG earned $150,000 for hacking VMware ESXi.

Main Content

Participants Earn $435,000 on Day Two of Pwn2Own Berlin 2025

On day two of Pwn2Own Berlin 2025, bug hunters earned a total of $435,000, bringing the contest total to $695,000. This follows the $260,000 awarded on the first day of the competition. Participants demonstrated 20 unique zero-day vulnerabilities in products such as Microsoft SharePoint, VMware ESXi, Oracle VirtualBox, Red Hat Enterprise Linux, and Mozilla Firefox.

Wrapping up Day Two of #Pwn2Own Berlin 2025. We’ve awarded $695,000 for 20 unique 0-days, with one more day to go! pic.twitter.com/x2oBfaSfKS

— Trend Zero Day Initiative (@thezdi) May 16, 2025

Notable Achievements

Nguyen Hoang Thach of STARLabs SG successfully exploited an integer overflow to hack VMware ESXi, earning $150,000 and 15 Master of Pwn points1.

Outstanding! Nguyen Hoang Thach (@hi_im_d4rkn3ss) of STARLabs SG used a single integer overflow to exploit #VMware ESXi – a first in #Pwn2Own history. He earns $150,000 and 15 Master of Pwn points. #P2OBerlin pic.twitter.com/QmfZng11nV

— Trend Zero Day Initiative (@thezdi) May 16, 2025

Dinh Ho Anh Khoa of Viettel Cyber Security earned $100,000 and 10 Master of Pwn points for exploiting Microsoft SharePoint using auth bypass and insecure deserialization.

Edouard Bochin and Tao Yan from Palo Alto Networks earned $50,000 and 5 Master of Pwn points for exploiting Mozilla Firefox via an Out-of-Bounds Write.

Comprehensive List of Day Two Hacking Attempts

The full list of hacking attempts made during day two is available here.

Event Highlights

This year’s Pwn2Own at the OffensiveCon conference marks the first time the competition includes an AI category.

Follow for More Updates

Follow me on Twitter:  @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

( SecurityAffairs – hacking, Pwn2Own Berlin 2025)

For more details, visit the full article: source

References

  1. Trend Zero Day Initiative (May 16, 2025). “Outstanding! Nguyen Hoang Thach (@hi_im_d4rkn3ss) of STARLabs SG used a single integer overflow to exploit #VMware ESXi – a first in #Pwn2Own history. He earns $150,000 and 15 Master of Pwn points. #P2OBerlin pic.twitter.com/QmfZng11nV”. Trend Zero Day Initiative. Retrieved May 16, 2025. ↩︎

Cybersecurity & Vulnerabilities, Cybersecurity
cybersecurity threat intelligence vmware esxi
This post is licensed under CC BY 4.0 by the author.