New Delhi: Security researchers walked away with a whopping $1,078,750 (₹9.05 crore) at the just-concluded Pwn2Own Berlin 2025, after exposing 29 zero-day vulnerabilities across some of the most widely used enterprise and tech platforms. The elite hacking contest, hosted by Trend Micro’s Zero Day Initiative (ZDI), was held over three days and attracted top exploit developers from across the world.
This year’s event focused on areas like AI systems, virtualization software, web browsers, containerized applications, and even automotive systems. While Tesla provided 2025 Model Y and 2024 Model 3 bench-top units as test targets, no teams attempted those vehicles during the competition.
Top teams, exploits, and rewards
The biggest winner this year was STAR Labs SG, whose hackers earned $320,000 (₹2.68 crore) and took home the Master of Pwn crown with 35 points. Among the standout moments was when STAR Labs’ Nguyen Hoang Thach used an integer overflow bug to successfully hack VMware ESXi, earning the highest single reward of the competition—$150,000 (₹1.25 crore).
Coming in second place was Viettel Cyber Security. The team managed to chain a Microsoft SharePoint authentication bypass with an insecure deserialization bug. They also showcased a VirtualBox escape from guest to host—moves that earned them respect and serious cash.
Third place was taken by Team Reverse Tactics, who returned on the final day with another VMware ESXi hack, this time using an exploit chain involving integer overflow and an uninitialized variable. They earned $112,500 (₹94.5 lakh) for that single attempt.
Firefox zero-days patched within days
Mozilla moved quickly after the event to fix the two Firefox zero-days (CVE-2025-4918 and CVE-2025-4919) that were demoed during the competition. Over the weekend, Mozilla pushed updates across:
- Firefox 138.0.4
- Firefox ESR 128.10.1
- Firefox ESR 115.23.1
- Firefox for Android
In a similar situation back in March 2024, Mozilla had also patched two zero-days exploited by Manfred Paul at Pwn2Own Vancouver.
Payouts day by day
Here’s a breakdown of how the rewards were distributed:
| Day | Zero-Days Found | Cash Earned (USD) | Cash in INR (approx) |
|---|---|---|---|
| Day 1 | 9 | $260,000 | ₹2.18 crore |
| Day 2 | 12 | $435,000 | ₹3.65 crore |
| Day 3 | 8 | $383,750 | ₹3.22 crore |
| Total | 29 | $1,078,750 | ₹9.05 crore |
All the target systems were fully updated, with the latest security patches applied. This makes these exploits even more serious, as they expose unknown (zero-day) flaws in widely deployed enterprise software.
What’s next: 90-day fix window
According to Pwn2Own rules, once a bug is demoed successfully during the contest, vendors are given 90 days to issue a fix. If they fail to do so, the Zero Day Initiative may publicly disclose the technical details of the flaw.
These kinds of contests don’t just highlight the skills of white-hat hackers, but also reveal just how vulnerable even the most “secure” platforms can be when challenged by highly skilled adversaries.
Why this matters for India
With India rapidly becoming a cyber economy dependent on digital infrastructure and cloud-first platforms, these international vulnerabilities carry local implications. Tools like Docker, VMware, and Windows 11 are widely used in Indian tech startups, banks, and government systems.
A successful exploit on platforms like SharePoint or Oracle VirtualBox, as demonstrated in Berlin, could be devastating if left unpatched. Indian CISOs and IT teams should be watching such events closely and ensure timely patching and security updates.
