Update, May 16, 2026
Pwn2Own 2026 has finished and we have witnessed one successful attempt on our products. On May 16, 2026, Nguyen Hoang Thach of STARLabs SG successfully demonstrated an exploit targeting VMware ESX.
We are actively working on the remediation and we plan to publish a VMware Security Advisory to provide information on updates for the affected products.
We would like to thank the Zero Day Initiative (ZDI) for allowing us to participate and the team from STARLabs SG for working with us to address the reported issue.
Initial post
The Broadcom PSIRT Team (VCF Division) is pleased to announce VMware’s participation in Pwn2Own Berlin 2026, organized by the Zero Day Initiative (ZDI). The competition will run from May 14–16, alongside OffensiveCon in Berlin, Germany.
Members of our team will be on-site to validate any VMescape demonstrations on ESX. If you are attending and have any questions for us, we would be happy to connect with you in-person.
VMware ESX continues to be a primary target in the virtualization category. A successful VMescape demonstration carries prize money of $150,000, with an additional $50,000 bonus available. This year, the contest is limited to ESX as VMware Workstation has been removed from the competition’s target list.
We would like to thank the Zero Day Initiative (ZDI) for the opportunity to participate. We will update this post as additional details become available. To stay informed on the latest VMware Security Advisories (VMSAs), please sign up here.
