The prestigious Pwn2Own Berlin 2024 cybersecurity competition has concluded with remarkable achievements, as security researchers discovered 28 zero-day vulnerabilities in critical enterprise systems, earning a total of $1,078,750 in bounties. Seven of these vulnerabilities were identified in artificial intelligence systems, highlighting the growing importance of AI security in the modern technology landscape.
Competition Scope and Critical Discoveries
This year’s competition featured an expanded scope encompassing enterprise applications, AI systems, browsers, virtual machines, server solutions, and cloud technologies. While Tesla showcased their latest 2025 Model Y and 2024 Model 3 vehicles for security testing, researchers focused their efforts on core enterprise infrastructure, revealing significant vulnerabilities in widely-deployed systems.
Notable Security Breaches and Rewards
The first day of the competition witnessed successful exploits targeting fundamental systems, including Windows 11, Red Hat Linux, and Oracle VirtualBox. The Summoning Team demonstrated exceptional skill by identifying a critical vulnerability in Chroma, securing a $35,000 reward. STAR Labs SG achieved a significant breakthrough with their Docker Desktop vulnerability discovery, earning $60,000.
Enterprise System Vulnerabilities
Day two proved particularly productive, with researchers earning $435,000 for uncovering critical vulnerabilities. A standout achievement came from the Wiz Research team, who successfully exploited a use-after-free vulnerability in Redis, demonstrating potential risks to enterprise data management systems. The Microsoft SharePoint and VMware ESXi platforms also revealed significant security gaps.
Competition Champions and Impact
STAR Labs SG emerged as the competition’s leader, accumulating 35 Master of Pwn points and $320,000 in rewards. Their researcher, Nguyen Hoang Thach, achieved the competition’s highest single bounty of $150,000 for successfully exploiting a VMware ESXi vulnerability, highlighting critical risks in enterprise virtualization infrastructure.
The discovered vulnerabilities are now under responsible disclosure protocols, with vendors having 90 days to develop and release patches. TrendMicro’s Zero Day Initiative will subsequently publish detailed vulnerability information, enabling security professionals to enhance their defense strategies. This collaborative approach between researchers and vendors demonstrates the cybersecurity community’s commitment to protecting critical infrastructure while fostering innovation in security research.
