Overview
- Orange Tsai of DEVCORE chained three vulnerabilities to gain SYSTEM‑level remote code execution on Microsoft Exchange, a Friday win that earned $200,000.
- After two days, researchers have demonstrated 39 unique zero‑days with $908,750 awarded, and DEVCORE holds the lead on the strength of Tsai’s results.
- Windows 11 took more hits as Siyeon Wi landed a Friday privilege escalation via an integer overflow, following three separate elevation bugs shown on Thursday on fully patched systems.
- AI and local LLM tools remained soft targets with successful exploits against Cursor, OpenAI Codex, LiteLLM, and LM Studio, underscoring growing risk in developer and inference stacks.
- The event enters its final day on Saturday with Firefox, SharePoint, and more Windows 11 attempts slated under Zero Day Initiative rules that require immediate disclosure of working exploits.