Microsoft Exchange Zero-Day Vulnerabilities Exploited at Pwn2Own Berlin 2026

Microsoft Exchange and Windows 11 were compromised during the Pwn2Own Berlin 2026 security competition, highlighting critical vulnerabilities in widely used enterprise software. The event, which brings together security researchers to demonstrate zero-day exploits, confirmed that both the email server platform and the operating system were susceptible to attack.

A zero-day vulnerability is a software flaw that is unknown to the vendor, meaning no patch or fix exists at the time the vulnerability is discovered or exploited. These flaws are highly prized by security researchers and attackers alike due to the lack of immediate defenses.

Microsoft Exchange Exploit Chain

Reporting from Forbes confirmed that three distinct vulnerabilities were exploited to breach Microsoft Exchange. The attack was executed as a zero-day chain, a method where researchers link multiple vulnerabilities together to achieve a specific goal, such as gaining unauthorized access or executing remote code on a target system.

The research team known as DEVCORE was awarded $200,000 for the successful exploitation of this Microsoft Exchange chain, according to CyberInsider. Because Microsoft Exchange serves as the backbone for email and calendar services in many corporate environments, vulnerabilities in this software can pose a significant risk to organizational data and communication security.

Windows 11 and Event Developments

In addition to the Exchange breaches, BleepingComputer reported that Windows 11 was also hacked during the second day of the Pwn2Own Berlin 2026 competition. The simultaneous compromise of a primary enterprise server product and a dominant desktop operating system underscores the ongoing challenges in securing complex software ecosystems.

The competition has also faced challenges regarding participant capacity. Hackread reported that Pwn2Own Berlin 2026 hit its capacity limit, leading to a situation where some hackers who were rejected from the event have begun releasing their own zero-day vulnerabilities outside of the controlled competition environment.

This trend of external releases adds a layer of urgency for software vendors, as vulnerabilities disclosed outside of structured bug bounty programs or competitions may not always follow coordinated disclosure timelines, potentially leaving users exposed before patches are developed.

Industry Implications

The exploitation of these systems during a public competition serves as a stress test for vendor response times and the robustness of current security architectures. For organizations relying on Microsoft Exchange and Windows 11, these developments emphasize the importance of defense-in-depth strategies, such as network segmentation and rigorous monitoring, to mitigate the impact of unknown vulnerabilities.

The successful demonstration of an exploit chain against Exchange specifically illustrates that securing a single entry point is often insufficient, as attackers can pivot through multiple smaller flaws to achieve a full system compromise.