Security Experts:

Connect with us

Hi, what are you looking for?



$200,000 Awarded for Zero-Click Zoom Exploit at Pwn2Own

Two researchers earned $200,000 on the second day of the Pwn2Own 2021 hacking competition for a Zoom exploit allowing remote code execution without user interaction.

Two researchers earned $200,000 on the second day of the Pwn2Own 2021 hacking competition for a Zoom exploit allowing remote code execution without user interaction.

The exploit, demonstrated by Daan Keuper and Thijs Alkemade from Computest, involves three vulnerabilities and it works on the latest versions of Windows 10 and Zoom. In the demo at Pwn2Own, the victim saw a meeting invitation from the attacker, but the victim didn’t actually have to click anything to trigger the code execution.

Pwn2Own 2021Also on the second day of Pwn2Own 2021, Bruno Keith and Niklas Baumstark of Dataflow Security earned $100,000 for an exploit that works both on the Chrome and Microsoft Edge web browsers.

If attempts to hack the Parallels virtualization product failed on the first day, on the second day, Jack Dates from RET2 Systems and Sunjoo Park (aka grigoritchy) earned $40,000 each for executing code on the underlying operating system through the Parallels Desktop application.

There were also two successful attempts to escalate privileges on Windows 10 and one successful privilege escalation exploit on Ubuntu. These earned participants $40,000 and $30,000, respectively.

Team Viettel attempted to hack Microsoft Exchange, but their exploit leveraged a vulnerability that was used earlier in the competition so their attempt counted as a partial win.

On the first day of Pwn2Own 2021, participants earned $570,000, including $440,000 for exploits targeting Microsoft products (Teams, Exchange and Windows). According to Trend Micro’s Zero Day Initiative (ZDI), which organizes the competition, it’s the first time more than one million dollars have been paid out in total at Pwn2Own, and there are still several more attempts scheduled for the last day of the event.

The hacking attempts scheduled for the third day of Pwn2Own will target Parallels, Exchange, Ubuntu, and Windows 10.

UPDATE: Zoom has reached out to SecurityWeek to provide the following statement:

“We thank the Zero Day Initiative for allowing us to sponsor and participate in Pwn2Own Vancouver 2021, an event highlighting the critical and skillful work performed by security researchers. We take security very seriously and greatly appreciate the research from Computest. We are working to mitigate this issue with respect to Zoom Chat, our group messaging product. In-session chat in Zoom Meetings and Zoom Video Webinars are not impacted by the issue. The attack must also originate from an accepted external contact or be a part of the target’s same organizational account. As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust. If you think you’ve found a security issue with Zoom products, please send a detailed report to our Vulnerability Disclosure Program in our Trust Center.”

Related: Researchers Earn $280,000 for Hacking Industrial Systems at Pwn2Own Miami

Related: Routers, NAS Devices, TVs Hacked at Pwn2Own Tokyo 2020

Related: NETGEAR Router, WD NAS Device Hacked on First Day of Pwn2Own Tokyo 2020

Related: Researchers Hack Windows, Ubuntu, macOS at Pwn2Own 2020

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet