Hot on the heels of three new zero-day exploits against Windows 11, confirmed on May 14, Microsoft was hacked again just 24 hours later, as a three-vulnerability chained Exchange zero-day exploit was demonstrated at the Pwn2Own elite hacking event in Berlin. Here’s what you need to know.

Microsoft Exchange Falls To Zero-Day Hack At Pwn2Own Berlin

Pwn2Own is a twice-yearly event organized by the Trend Micro Zero Day Initiative, where some of the world’s most elite ethical hackers compete against each other, and the clock, to exploit previously unknown vulnerabilities in both software and hardware. The Berlin event got off to a flying start on May 14 as Windows 11 was hit by no less than three zero-day exploits . On day two, hacking teams were no less successful, chaining together three new vulnerabilities in Microsoft Exchange in order to achieve the holy grail of SYSTEM-level remote code execution. Such was the level of this achievement that Orange Tsai from the DEVCORE Research Team was rewarded with a $200,000 bounty payment in return for immediately handing over all the technical details to the event organizers.

This is why events such as Pwn2own, along with vendor bug bounty schemes , are so important in the overall scheme of security things. Whereas some security researchers sell their zero-days to the highest bidder on the black and grey vulnerability markets, and others disclose them to the public, as in the case of Microsoft Windows angry hacker , Pwn2Own is all about rewarding responsible disclosure and giving vendors what they need to secure their products and users from harm.

“There’s more than $1,000,000 in cash and prizes available for contestants,” Dustin Childs, head of threat awareness for the Zero Day Initiative at Trend Micro, explained. But in order to get a share of the money, the successful hackers must provide the fully functioning exploit along with a whitepaper detailing the vulnerabilities and exploitation techniques used against the targeted vendor immediately after the demonstration ends. As in the case of the Microsoft Exchange zero-day , where multiple vulnerabilities were exploited to gain code execution, details of all of them and the sequence in which they were used must be provided in full.

“As the world’s top security researchers push technology to its limits,” Childs said, “exploits, surprises and breakthrough discoveries are unfolding.” And there’s still one more day of Pwn2Own to run, with Microsoft SharePoint and Windows 11 in the hacker spotlight. I will report back tomorrow with the results.