Overview
- The three‑day contest in Berlin wrapped Saturday with $1,298,250 awarded for 47 unique zero‑days, and DEVCORE finishing first with 50.5 points and $505,000.
- Cheng‑Da “Orange” Tsai of DEVCORE chained three bugs to gain SYSTEM‑level remote code execution on Microsoft Exchange on Friday, earning $200,000.
- Microsoft Windows 11 fell repeatedly across the event as multiple teams showed distinct privilege‑escalation flaws on fully patched machines.
- Final‑day highlights included a two‑bug Microsoft SharePoint exploit by DEVCORE’s splitline for $100,000 and a VMware ESXi code‑execution win by STARLabs SG for $200,000.
- AI developer tools were frequent targets as researchers broke OpenAI’s Codex three separate times and hit LiteLLM, Cursor, and LM Studio, with vendors now on a 90‑day clock to patch.