Pwn2Own Day Two — Exchange grabbed the headline, the AI dev tooling slate fell quietly

The second day of Pwn2Own Berlin 2026 paid out $385,750 across 15 fresh zero-days, bringing the running event total to $908,750 across 39 zero-days with one day still to run. The headline was always going to be the Microsoft Exchange chain — Cheng-Da “Orange Tsai” Tsai of DEVCORE Research Team chained three bugs to land remote code execution as SYSTEM on a fully patched Exchange server, banked $200,000, and took DEVCORE to a commanding $405,000 Master of Pwn lead. The story almost wrote itself given Microsoft’s same-week confirmation that CVE-2026-42897 is being actively exploited in the wild against on-prem Exchange.

That is the bit that will dominate the coverage. It is also the bit defenders have a reasonable handle on. Exchange-on-prem is a known target. The remediation muscle exists. The asset inventory shows where it lives. The board understands the question when it gets asked.

The bit worth pulling out of the Day Two writeup is the category that fell quietly.

Across the two days at Berlin, the contest has now produced successful exploits against Cursor (twice, on Day Two — Le Duc Anh Vu of Viettel Cyber Security took $30,000, and a Compass Security team of five took another $15,000), LM Studio (a $20,000 code-injection chain from OtterSec), OpenAI Codex (a $20,000 chain from Sina Kheirkhah of Summoning Team), and LiteLLM (felled on Day One). Four distinct AI developer-tooling products fell as formally contested categories in 48 hours. Cursor twice in the same day. None of those are anomalies in the schedule — the AI category was deliberately on the slate, and the slate cleared.

This is the part the defender writeups are missing. AI dev tooling is in your supply chain. Cursor sits on engineering laptops with repository access, cloud SDK credentials, browser cookies and SaaS authentication tokens. LM Studio runs models locally and reads project files. OpenAI Codex sits inside dev environments with arbitrary code-execution surfaces. LiteLLM proxies API traffic between dev code and model providers, and it tends to hold the secrets that authenticate that traffic. A working RCE in any of these is operationally indistinguishable from a working RCE on an IDE — and almost none of these tools are in most enterprise CMDBs, change-management catalogues or vendor-risk registers. The procurement workflow that gates a new SaaS app is not the procurement workflow that gates a 12MB VS Code fork or a local model runner. The asset inventory question for an FS CISO walking into a board meeting next week is “do we know which engineering laptops are running which AI dev tools” — and the honest answer at most firms today is no.

The other Day Two stories sit in the standard pattern. Ben Koo of Team DDOS used a use-after-free to escalate to root on Red Hat Enterprise Linux Workstation ($10,000). Siyeon Wi exploited an integer overflow to take SYSTEM on Windows 11 ($7,500). Stephen Fewer of Rapid7 — the same researcher who reported the actively exploited Cisco SD-WAN auth bypass earlier this week — could not get a SharePoint exploit working in time. The full ZDI writeup is the cleanest single source of truth.

The third thread, less covered, is structural. Pwn2Own Berlin 2026 ran out of contest slots for the first time in nineteen years. ZDI rejected dozens of working zero-day submissions on a purely logistical basis. Several of those researchers have begun publishing proofs of concept and notifying vendors directly outside the contest. The headline number from Pwn2Own — the $908,750 paid out so far this week — is the part of the iceberg ZDI controls. The part it doesn’t is in unbounded public-disclosure mode this week. If you patch by what shows up on a Pwn2Own results page, you are reading the wrong feed.

The defender takeaway is asymmetric. Exchange remediation is happening. The teams know how. The vulnerability-management programmes have a clear lane. The AI-tooling exploits are not happening to anyone’s inventory because the inventory does not have the rows. That is the work this Pwn2Own should kick off, before the next contest cycle catches up with whatever the engineers downloaded last quarter.