Pwn2Own Berlin 2025 comes to a close. We awarded $1,078,750 for 28 unique 0-days. Congrats to STAR Labs SG for winning Master of Pwn with $320,000. Thanks to @offensive_con for hosting, and thanks to all who participated. Can't wait to see you next year! #Pwn2Own #P2OBerlin

GLIBC-SA-2025-0002: CVE-2025-4802: glibc: elf: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH https://www.openwall.com/lists/oss-security/2025/05/17/2
Affects statically linked setuid binaries that call dlopen, including internally to glibc after setlocale or NSS functions such as getaddrinfo

Wrapping up Day Two of #Pwn2Own Berlin 2025. We’ve awarded $695,000 for 20 unique 0-days, with one more day to go!

Dear #Letsencrypt, you helped secure millions and millions of servers, not just web servers. But your announcement at https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/ about ending Ending TLS Client Authentication Certificate Support in 2026 because Google changes their requirements would result in your certificates being unusable for SMTP servers. You are literally risking an email collapse for many mailserver owners just to please Google? Please think again. Please.

Confirmed!! Dinh Ho Anh Khoa of Viettel Cyber Security combined an auth bypass and an insecure deserialization bug to exploit #Microsoft SharePoint. He earns $100,000 and 10 Master of Pwn points. #Pwn2Own #P2OBerlin

#Microsoft has blocked its services to the International Criminal Court by order of Donald #Trump. The #ICC prosecutor doesn’t have access to his #email. Source:AP

https://apnews.com/article/icc-trump-sanctions-karim-khan-court-a4b4c02751ab84c09718b1b95cbd5db3

G DATA's Karsten Hahn details how software downloads for the printer company Procolored were infected with XRed backdoor for half a year. https://www.gdatasoftware.com/blog/2025/05/38200-printer-infected-software-downloads

CISA is changing the way they publizice alerts, including the KEV (known exploited vulnerabilities). These will no longer be shown on the "Alerts" overview, but must be subscribed to via GovAlert (or just scrape the JSON...).

The first vulnerability that is *not* being published as an alert is...drumroll... CVE-2025-47729. "The TeleMessage archiving backend through 2025-05-05 holds cleartext copies of messages from TM SGNL app users"

Isn't that a funny coincidence?

I am totally sure (sarcasm included) that #Google has totally overseen that their planned changes to their root program requirements will cause a lot of problems for mailserver owners like me who in future might run into weird problems with #Letsencrypt certificates for SMTP. I am sure that Google is absolutely not trying to make running your own mailserver even more complicated just to protect their gmail business. That would be totally not how Google thinks, amirite? https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/

Detecting malicious Unicode in #curl

https://daniel.haxx.se/blog/2025/05/16/detecting-malicious-unicode/

CISA Warns of #Google Chromium #ZeroDay Vulnerability CVE-2025-4664 Actively Exploited in the Wild affecting #Chrome, MS #Edge and Opera – Make sure to update your browser to the latest version today!
👇
https://cybersecuritynews.com/cisa-warns-of-google-chromium-vulnerability-actively-exploited-in-the-wild/

I wanted to end last year with a vm escape, took me a bit longer but I want to present you my latest public research:

A VM escape in Oracle VirtualBox using only one integer overflow bug!

This was fixed in April 15 and assigned CVE-2025-30712.

https://github.com/google/security-research/security/advisories/GHSA-qx2m-rcpc-v43v

A brief summary of Day One of #Pwn2Own Berlin 2025, featuring Sina Kheirkhah, STAR Labs SG, Wongi Lee of Theori, Marcin Wiązowski and more. #P2OBerlin

Project: golang/go https://github.com/golang/go
File: src/cmd/vendor/golang.org/x/arch/x86/x86asm/gnu.go:14 https://github.com/golang/go/blob/refs/tags/go1.23.4/src/cmd/vendor/golang.org/x/arch/x86/x86asm/gnu.go#L14

func GNUSyntax(inst Inst, pc uint64, symname SymLookup) string

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?github=https%3A%2F%2Fgithub.com%2Fgolang%2Fgo%2Fblob%2Frefs%2Ftags%2Fgo1.23.4%2Fsrc%2Fcmd%2Fvendor%2Fgolang.org%2Fx%2Farch%2Fx86%2Fx86asm%2Fgnu.go%23L14&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?github=https%3A%2F%2Fgithub.com%2Fgolang%2Fgo%2Fblob%2Frefs%2Ftags%2Fgo1.23.4%2Fsrc%2Fcmd%2Fvendor%2Fgolang.org%2Fx%2Farch%2Fx86%2Fx86asm%2Fgnu.go%23L14&colors=light

this ratelimiting stuff with GitHub makes me really think that MSFT might actually successfully kill their golden goose

trust arrives on foot and leaves on horseback, etc

Confirmed! Hyeonjin Choi of Out Of Bounds earns $15,000 for a third round win and 3 Master of Pwn Points by successfully using a type confusion bug to escalate privileges in #Windows11 #Pwn2Own #P2OBerlin