Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Teams Exploits Earn Hackers $450,000 at Pwn2Own 2022

Vulnerability researchers earned a total of $800,000 on the first day of the Pwn2Own Vancouver 2022 hacking contest, including $450,000 for exploits targeting Microsoft Teams.

Vulnerability researchers earned a total of $800,000 on the first day of the Pwn2Own Vancouver 2022 hacking contest, including $450,000 for exploits targeting Microsoft Teams.

All ten hacking attempts were successful and Trend Micro’s Zero Day Initiative (ZDI), which organizes the event, said the total amount of money awarded to participants was the biggest for a single day in the contest’s history.

A total of 16 zero-day vulnerabilities were exploited against Teams, Oracle VirtualBox, Firefox, Windows 11, Ubuntu, and Safari.

The Teams exploits received the highest payouts — $150,000 has been awarded for each of three exploit chains. Masato Kinugawa leveraged a three-bug chain that included an injection, a misconfiguration and a sandbox escape. Hector “p3rr0” Peralta demonstrated an improper configuration, and the STAR Labs team used a zero-click remote code execution exploit that leveraged an injection and an arbitrary file write flaw.

There is one more attempt targeting Teams, scheduled for Friday, the last day of Pwn2Own.

Another significant bug bounty was earned by Manfred Paul — $100,000 for a Firefox sandbox escape exploit involving prototype pollution and improper input validation. The researcher has also earned $50,000 for a Safari hack.

The remaining exploits earned participants $40,000 each.

Researchers will also take a crack at hacking a Tesla Model 3 at Pwn2Own 2022, with two attempts scheduled for Thursday. Successfully hacking a car can earn participants up to $600,000 and a new Tesla.

This is the second Pwn2Own taking place this year. In April, at Pwn2Own Miami 2022, which focuses on industrial control systems (ICS), contestants earned a total of $400,000 for their exploits.

Related: White Hats Earn $440,000 for Hacking Microsoft Products on First Day of Pwn2Own 2021

Related: Printers Hacked for First Time at Pwn2Own

Related: $1.9 Million Paid Out for Exploits at China’s Tianfu Cup Hacking Contest

Related: Serious Vulnerability Exploited at Hacking Contest Impacts Over 200 HP Printers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet