For the First Time Since 2007: VMware Hypervisor Falls to $150K Exploit
A $150,000 Prize and a New Milestone in Hypervisor Vulnerability History
A $150,000 Prize and a New Milestone in Hypervisor Vulnerability History
A historic event took place at the ongoing Pwn2Own hacking tournament in Berlin: elite security researchers successfully exploited a previously unknown zero-day vulnerability to hack the VMware ESXi hypervisor — a first in the competition’s history. This follows an intense first day of the event, which saw three zero-day exploits aimed at Windows 11. The second day didn’t disappoint either, bringing more surprises.
The past few weeks have already been a major challenge for corporate security. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent warning about a serious Chrome vulnerability that is actively being exploited. Meanwhile, HTTPBot-based attacks have been targeting corporate Windows networks, and Microsoft confirmed a critical cloud infrastructure flaw rated a maximum 10 out of 10 in severity. Against this backdrop, news of the $150K VMware ESXi exploit might seem like just the "cherry on top" — but in reality, it's far more significant.
Context matters: Pwn2Own is a biannual, legally sanctioned competition for the world’s best hackers. Participants are given a limited time to attack vendor-submitted products using previously undisclosed vulnerabilities — the idea is to find the bugs before cybercriminals do. Winners earn points, cash rewards, and the coveted title of Master of PWN.
The VMware ESXi hack marks the first successful hypervisor compromise in Pwn2Own’s history, dating back to 2007. The exploit was developed by Nguyen Hoang Thach of the STARLabs SG team, who used an integer overflow vulnerability — a single exploit, but a powerful one. For his discovery, he was awarded $150,000 and 15 points in the tournament standings.
