47 Zero-Days, No Patches: Pwn2Own Berlin's Reckoning

30:2910 scenes9 speakersBriefing

01 Cold Open: 47 Zero-Days, No Patches

Chapters

01Cold Open: 47 Zero-Days, No Patches

02Sponsor — Blue Cortex AI

03Pwn2Own Berlin: Exchange, SharePoint, and the ESXi Tenant Escape

04NGINX and Microsoft Authenticator: The Other Urgent Patches

05Pwn2Own AI Category: LiteLLM's Dual-Vector Crisis

06DPRK's Two-Billion-Dollar Machine: Bybit, Lazarus, and the Attribution Question

07Sanctions Arbitrage: Is Financial Containment of DPRK Functionally Broken?

08Verus-Ethereum Bridge: The Eleven-Million-Dollar Trust-Model Failure

09Deepfake KYC Bypass: Production-Ready Tools and the Liability Gap

10Synthesis and Action Items

Speakers

HalilAlexJamesLenaDr.ViktorDr.IsabelleDr.

▶01Cold Open: 47 Zero-Days, No Patches00:00

HalilForty-seven zero-days. No patches. And a weaponization clock that researchers say ticks down in seventy-two to ninety-six hours.

HalilWelcome to CyberDaily Threatcast. I'm Halil Öztürkci. Let's get into it.

HalilToday's session is dense. Pwn2Own Berlin 2026 just wrapped — Exchange, SharePoint, and VMware ESXi all cracked, zero vendor patches in sight. And for the first time in Pwn2Own history, AI platforms had their own exploit category. LiteLLM, Codex, Claude Code — all fell.

HalilOn top of that: DPRK pulled roughly two billion dollars in crypto theft last year — sanctions containment is, by most assessments, functionally broken. An eleven-point-six-million-dollar cross-chain bridge drain happened seven days after a security update, and there's a narrow recovery window still open. And production-ready deepfake tools are bypassing KYC liveness checks at major exchanges — with unresolved regulatory liability attached.

HalilFour threads. All new. All urgent. We start with Pwn2Own.

▶02Sponsor — Blue Cortex AI01:28

HalilThis episode is brought to you by Blue Cortex AI and Tarhy — their autonomous SOC platform. Here's what Tarhy does: it pulls alerts from your EDR stack — Defender, CrowdStrike, Cortex XDR, SentinelOne — and its AI agents triage every single one, around the clock. Not just pattern matching. Multi-step reasoning, cross-event correlation, MITRE ATT&CK mapping, and a confidence-scored verdict — all in about three minutes. And here's the thing that matters: their Neural Timeline shows you exactly how the AI reached each decision. No black box. The results speak for themselves — sixty to seventy percent fewer false positives, eighty percent faster time to verdict. If your SOC is drowning in five thousand alerts a day, Tarhy can save twenty-five hundred analyst hours a month. Check them out at bluecortex.ai.

▶03Pwn2Own Berlin: Exchange, SharePoint, and the ESXi Tenant Escape02:36

HalilAlex, forty-seven zero-days. Walk us through the priority stack.

AlexSo — three things that matter most. DEVCORE cracked SharePoint for a hundred grand, Exchange RCE chains are confirmed in the aggregate, and StarLabs took ESXi for two hundred thousand via a memory corruption cross-tenant escape.

HalilCross-tenant. Meaning what, exactly?

AlexMeaning your VM on Host X can touch another tenant's VM on the same host. That's not a standard VM escape — isolation between guest VMs failed entirely. For any multi-tenant cloud running ESXi, that's an existential threat.

JamesRight. And here's the part that stings — I found no targeted mitigation in any vendor advisory for the ESXi cross-tenant issue. None. The generic hardening I can give you is Lockdown Mode, strict VLAN segmentation per tenant. But let's be honest.

AlexWeak compensation.

JamesExactly. Weak compensation for a memory corruption hypervisor break. The patch is the only real fix, and we're ninety days out at minimum.

HalilWhat about Exchange and SharePoint? James, you called those actionable right now.

JamesYeah. For Exchange and SharePoint — pull them off the internet if you can. If you're hybrid, restrict ingress to Microsoft IP ranges. Block w3wp.exe spawning PowerShell or cmd via AppLocker or WDAC.

AlexI want to flag the false positive question before James moves on. Those execution-blocking rules — about fifteen percent false positive rate in SharePoint workflow environments. Three percent on pure Exchange. Test before mass deployment.

JamesGood catch. Tune to your environment. These aren't fire-and-forget rules.

HalilAlex, why are the Exchange and SharePoint chains especially dangerous compared to typical RCEs?

AlexThey're deterministic. No ASLR lottery, no timing races. A two-bug chain against SharePoint — pre-auth RCE into auth bypass or sandbox escape — once details leak, capable actors hit seventy-two to ninety-six hour weaponization. That's the window.

LenaAnd the ZDI's ninety-day clock started May thirteenth. Patches should arrive by mid-August. The dangerous phase is days thirty to ninety — when patch diffing exposes the primitives before defenders have the fix.

HalilLena, that's the adversary's sweet spot.

LenaIt always is. We've seen this with every major ZDI disclosure cycle. The diff lands, researchers reconstruct the chain, and nation-state actors move first.

▶04NGINX and Microsoft Authenticator: The Other Urgent Patches05:23

HalilBefore we leave the vulnerability landscape — James, you flagged NGINX CVE 2026 42945 separately. That's not Pwn2Own. What's the urgency there?

JamesActive exploitation confirmed per security advisories. This one escalated from proof-of-concept to in-the-wild between May fourteenth and now. That changes the timeline from seventy-two hours to twenty-four.

AlexThe bug is in the ngx_http_rewrite_module — specifically when rewrite directives combine with PCRE captures including question marks in replacement strings. It's specific but it's real.

JamesPatch now. And audit your rewrite configurations for PCRE captures with URI replacement strings while you're at it. Pre-stage the binaries.

HalilAnd Microsoft Authenticator — CVE 2026 41615. Lower urgency?

JamesNo exploitation observed in the wild yet. But the patched versions are confirmed — Android 6.2605.2973 and above, iOS 6.8.47 and above. Update all managed devices. Token theft isn't the kind of vulnerability you want to find out about after the fact.

AlexAgreed. No exploitation today doesn't mean no exploitation tomorrow. Check the MSRC advisory, identify current versions, push the update.

HalilHmm. Two separate urgent tracks running simultaneously — Pwn2Own ninety-day clock on one side, active exploitation on the other. James, how do defenders actually prioritize when everything is on fire?

JamesPriority matrix: one — internet-facing and actively exploited, that's NGINX, patch today. Two — internal but critical for lateral movement, that's Exchange and SharePoint. Three — everything else. You can't patch everything at once. Make the list, work it in order.

▶05Pwn2Own AI Category: LiteLLM's Dual-Vector Crisis07:44

HalilNow to something genuinely new — Pwn2Own had an AI platform category for the first time. Arjun, give us the picture.

Dr.So — it was a bloodbath. LiteLLM, OpenAI Codex, Cursor, Ollama, Claude Code, LM Studio, NVIDIA Megatron Bridge, Chroma. All fell. Total payout over a million dollars across the category.

HalilWhat vulnerability classes? Are we talking exotic AI attacks or—

Dr.Classical web application bugs. LiteLLM fell to SSRF plus code injection — three chained bugs, forty thousand dollars. Codex fell to two independent teams. Ollama's chain included a known vulnerability.

AlexThat's the part that gets me. These aren't novel AI-specific primitives. It's SQL injection logic applied to neural network infrastructure. The attack surface inherited every sin of the software stack underneath.

Dr.Exactly. And that's arguably worse than an exotic AI-specific attack. Defenders can't quarantine AI platforms as a special case. The same exploit tradecraft applies.

HalilYou called LiteLLM and Chroma the highest downstream risk. Why those two specifically?

Dr.LiteLLM sits at the API gateway layer. It sees all model requests, all API keys, all routing logic across multiple LLM providers. SSRF there means lateral reach to internal cloud metadata endpoints, credential exfiltration, internal services the model was never supposed to touch.

AlexIt's the throat to choke for any shop running production inference.

Dr.And Chroma is the vector database every RAG pipeline uses — that's every system where an LLM retrieves context from internal documents. A Chroma RCE isn't just code execution. It's retrieval-surface poisoning. You manipulate what the model knows without touching the weights.

HalilNow — LiteLLM was already compromised in April via supply chain. Arjun, this isn't the same incident.

Dr.Completely separate attack vector. In April, TeamPCP poisoned PyPI versions 1.82.7 and 1.82.8 — supply chain compromise, forty minutes on PyPI, backdoored Mercor, four terabytes exfiltrated including PII, video interviews, source code. Ten billion dollars in Meta contracts paused.

HalilAnd now at Pwn2Own—

Dr.A completely unrelated researcher chains three runtime bugs and walks away with forty thousand dollars. LiteLLM is being hit from the dependency layer and the runtime layer simultaneously. That's dual-vector convergence against the same critical component.

JamesSo practically — anyone still running affected 1.82.x versions should have rotated credentials after April already. If you haven't, stop listening right now and do that. Then segment the LiteLLM deployment — it should not have network reach to internal services or cloud metadata.

Dr.And pin to known-good versions with hash verification. The April attack worked because PyPI attestation is weak. Use pip's hash pinning or opaque dependency verification.

▶06DPRK's Two-Billion-Dollar Machine: Bybit, Lazarus, and the Attribution Question11:19

HalilDPRK crypto theft. Viktor, Lena — multiple sources are converging on roughly two billion dollars stolen in 2025. How solid is that number?

LenaHigh confidence on the order of magnitude. CrowdStrike reports two-point-zero-two billion. CertiK documents two-point-zero-six billion for 2025, sixty percent of total crypto theft losses that year. TRM Labs shows DPRK at seventy-six percent of all crypto hack losses in 2026 through April alone — five hundred seventy-seven million in that window.

ViktorThree independent methodologies converging in the same range. That's not noise. The fifty-one percent year-over-year increase also tracks — they're doing fewer operations but targeting higher-value assets.

HalilLena, you flagged an attribution nuance on Bybit that I don't want to gloss over.

LenaRight. The Bybit hack — one-point-five billion dollars, the largest single crypto theft on record — is consistently attributed to Lazarus Group proper. The FBI and IC3 confirm that. The Pressure Chollima reference in CrowdStrike's report appears to describe reconnaissance activity and supply chain positioning, not the actual theft operation.

ViktorThe distinction matters for defensive modeling. Pressure Chollima does the months-long social engineering and developer access infiltration. Lazarus executes the financial operation. Whether that's a handoff relationship or a subcluster arrangement — we don't have high-confidence data either way.

LenaThe Drift Protocol case is instructive. UNC4736 — that's Mandiant's tracking name for what CrowdStrike calls Golden Chollima, a North Korean cyber unit — ran eight months of social engineering starting August 2024. Video calls with fabricated identities, sustained persona maintenance. Then manual credential compromise in April 2025.

HalilThat forty-three percent surge in hands-on-keyboard activity CrowdStrike documented — what does that signal operationally?

LenaDetection evasion pressure. Automated tooling signatures are well-catalogued by SOC teams now. They're shifting the exploitation phase toward manual operation to stay below detection thresholds. It's not replacing automation at initial access — phishing and supply chain poisoning still work fine there.

ViktorAnd the laundering speed is extraordinary. Per TRM Labs analysis of Bybit — Lazarus moved the bulk of funds through automated laundering infrastructure within hours. Hundreds of peel chains, multiple cross-chain bridges, asset swaps via DEXs, then mixers including Tornado Cash. That's not a person clicking. That's pre-built automated infrastructure.

HalilViktor, recoverability on Bybit?

ViktorMinimal in the near term. The primary freezing window closed within twenty-four to forty-eight hours. Secondary tracing against exchange KYC points is still viable, but the velocity outpaces most law enforcement response times. The Cryptomixer takedown was significant — that was a Lazarus mainstay — but they've already pivoted.

▶07Sanctions Arbitrage: Is Financial Containment of DPRK Functionally Broken?14:53

HalilElena, you called this 'sanctions arbitrage by cyber means.' Make that case.

Dr.The UN's Multilateral Sanctions Monitoring Team documented one-point-six-four-five billion in DPRK cryptocurrency theft between January and September 2025 alone. The Japanese government assessment concludes that cryptocurrency theft combined with Russian weapons sales now earns Pyongyang more than before expanded UN sanctions took effect in 2016 and 2017.

HalilWow.

Dr.Think about what that means. We are at a parallel moment to post-WannaCry 2017, except this time the sanctions haven't deterred — they've been functionally surpassed. The containment architecture is not weakening. It has been outflanked.

LenaAnd the IT worker pipeline is the structural enabler. The DOJ in January 2025 documented DPRK IT workers securing developer positions at cryptocurrency companies and directly stealing hundreds of millions. One hundred DPRK-backed individuals infiltrated crypto projects as remote hires — confirmed by the Ethereum Foundation.

Dr.That's the point — legitimate cover for intelligence collection and direct insertion capability for hands-on-keyboard theft. What began as parallel revenue streams now appears institutionally consolidated. The Drift Protocol case shows six months of relationship-building before compromise. This is not improvisation.

HalilIs this centrally directed or emergent coordination?

Dr.That's the open question I've been tracking since May. The pattern suggests institutionalization rather than organic convergence. But I won't attribute central direction without harder evidence.

LenaAgreed. The behavioral signatures suggest bureau-level coordination. Whether that reflects a unified command structure or aligned incentives producing similar outputs — the data doesn't resolve it cleanly.

HalilFor defenders, does the distinction matter?

ViktorOperationally? Not much. The TTPs are consistent. Ingest the CrowdStrike 2026 fintech report's DPRK and Lazarus indicators. Implement developer access monitoring for supply chain compromise signals. The attribution debate is for analysts and policymakers.

JamesThat's where I land too. Know the TTP profile, monitor the access patterns, treat every developer with privileged repo access as a potential vector. Not paranoia — process.

▶08Verus-Ethereum Bridge: The Eleven-Million-Dollar Trust-Model Failure17:39

HalilViktor — eleven-point-six million dollars drained from the Verus-Ethereum bridge, seven days after a security update. Root cause?

ViktorClassic verification gap. The bridge correctly verified the notarized Verus state root — eight of fifteen valid notary signatures, cryptographically sound. What it failed to do was verify that the cross-chain import message actually existed at that validated state root.

HalilMeaning the envelope was authentic but the letter inside was forged.

ViktorExactly. The attacker submitted a forged cross-chain import payload claiming value on the Verus side that wasn't there. The Ethereum-side contract released assets anyway. One-hundred-three-point-six tBTC, sixteen-twenty-five ETH, a hundred-forty-seven thousand USDC — all consolidated and swapped into approximately five-thousand-four-hundred-and-two ETH.

HalilLena, you've been tracking bridge exploits. Where does this fit?

LenaViktor's taxonomy is right. This is the KelpDAO pattern — trust-model forgery — not the Hyperbridge pattern of admin privilege escalation. Wormhole 2022, Nomad 2022, KelpDAO, now Verus. Same structural failure class, recurring.

ViktorThe fundamental flaw: verification of source state is not the same as verification of economic value binding between source and destination. Until bridge architectures treat those as separate mandatory checks, we'll keep seeing this.

HalilSeven days after a security update. Coincidence?

ViktorSuspiciously tight. Either the patch missed this specific validation gap entirely, or the attacker had visibility into the update cycle — possibly through reverse engineering the patch. I don't have evidence for which, but the timing is a red flag.

HalilIs there a recovery window?

ViktorYes, but it's measured in days, not weeks. As of May eighteenth, five-thousand-four-hundred-and-two ETH remains consolidated in a single attacker wallet. The network is halted. If law enforcement can coordinate with exchanges before those funds fragment through mixers or bridges, a freeze is technically possible.

HalilThe attacker seeded the wallet via Tornado Cash before the exploit.

ViktorOne ETH upstream for deployment capital — standard obfuscation. But the stolen funds themselves haven't fragmented yet. The single consolidated wallet is the window. If they follow the Lazarus model — bridge to Bitcoin, peel chains, non-KYC exchanges — that ETH vanishes. Exchange coordination needs to happen now.

▶09Deepfake KYC Bypass: Production-Ready Tools and the Liability Gap20:51

HalilIsabelle — deepfake tools bypassing KYC liveness detection. Seqrite documented this across Indian financial institutions. How real is the capability?

IsabelleProduction-ready. JINKUSU CAM — confirmed in twenty-five million dollars of fraudulent transactions across Binance, Coinbase, Kraken, and OKX. GPU-accelerated face-swapping, GFPGAN-based facial expression mapping, voice synthesis with pitch adjustment, virtual camera injection via OBS.

HalilIt can respond to liveness challenges? In real time?

IsabelleThat's the qualitative shift. This isn't pre-recorded synthetic video. Operators can respond to prompts, head-turn requests, blink checks — interactively, in real time. The liveness challenge assumption just broke.

Dr.And this ties directly to what we discussed with LiteLLM. The generative capability curve is outpacing the detection curve. Real-time deepfake generation used to require five minutes of sample audio for voice cloning. These tools have dropped that requirement significantly.

IsabelleOur detection caught last quarter's models. This quarter's models bypass it. That's the arms race we're in. Visual artifact analysis — blinking inconsistencies, ear boundary artifacts — is being bypassed by the newest real-time generation. What still holds: temporal consistency analysis on rapid motion, multi-modal cross-verification, and behavioral biometrics.

HalilSofia, who holds the liability when a bank gets hit by this?

Dr.Under India's Digital Personal Data Protection Act 2023 — the Data Fiduciary, meaning the bank, holds the obligation. Section 33 establishes fines up to two hundred crore rupees for failure to notify the Data Protection Board of India, and up to two hundred fifty crore rupees for failure to implement reasonable security safeguards.

IsabelleHmm.

Dr.No vendor pass-through exemption in the statute. The bank is liable to the regulator and to data subjects. Any indemnification against the vendor has to be negotiated contractually — it doesn't flow automatically from the law.

HalilAnd for cross-border institutions? EU exposure?

Dr.Concurrent obligations. Under the EU AI Act, biometric identification is classified as high-risk AI under Annex III. Deploying banks face Deployer obligations, vendors face Provider obligations. Penalties reach fifteen million euros or three percent of global annual turnover, whichever is higher. A cross-border institution faces both regimes simultaneously.

HalilIsabelle, is India an anomaly or an early signal?

IsabelleEarly signal. JINKUSU CAM targets global exchanges — this is not geographically contained. India is visible because the digital identity ecosystem is mature: Aadhaar, rapid fintech adoption, mobile-first banking. The capability is exportable. Southeast Asian fintech corridors, African mobile money platforms, Latin American neobanks — all face the same threat profile.

JamesFor financial institutions right now: assess your liveness detection vendor's resilience against real-time deepfake injection. The most effective countermeasure is callback verification — independent verification through a separate channel for high-risk transactions. Pair that with liveness challenge randomization. Don't use predictable patterns.

▶10Synthesis and Action Items24:35

HalilLet me pull these threads together, because they connect more than they might first appear.

HalilPwn2Own Berlin gave us forty-seven zero-days and zero patches. The Exchange and SharePoint chains are deterministic — once technical details leak, capable actors hit in seventy-two to ninety-six hours. ESXi is worse: a confirmed cross-tenant hypervisor escape with no targeted mitigation available, just weak generic hardening. The ninety-day ZDI clock started May thirteenth.

HalilThe AI platform category is a first — and the vulnerability classes were classical web application bugs, not exotic AI attacks. LiteLLM is in the most dangerous position: supply chain compromised in April, runtime SSRF and code injection cracked at Pwn2Own in May. Dual-vector, same critical infrastructure component.

HalilDPRK pulled roughly two billion dollars last year. Three independent research organizations converge on that figure. The sanctions regime has been functionally outflanked — Pyongyang now earns more than before expanded UN sanctions took effect. Elena's framing stands: this is sanctions arbitrage by cyber means, operating below the threshold of armed response.

HalilThe Verus bridge has five-thousand-four-hundred-and-two ETH sitting in a consolidated wallet right now. That window is days, not weeks. The same trust-model forgery flaw that hit Wormhole, Nomad, and KelpDAO hit Verus seven days after a security update. Bridge operators: cross-chain import message existence validation must be a separate mandatory check from state root verification.

HalilAnd the deepfake KYC bypass threat is not theoretical. Twenty-five million dollars of confirmed fraud. Real-time interactive liveness challenge bypass. Banks in India face penalties up to two hundred fifty crore rupees under the DPDP Act with no vendor pass-through. Get legal review of your liability framework before assuming it's settled.

HalilYour action list from today's session — and this is in priority order. One: LiteLLM. Audit and isolate from production AI pipelines immediately. Treat as dual-compromised infrastructure. Two: NGINX CVE 2026 42945 — patch today. Active exploitation reported, twenty-four-hour emergency window. Three: Exchange and SharePoint compensating controls right now — pull internet exposure, block w3wp.exe child process spawning via AppLocker or WDAC, monitor anomalous ECP and OWA POST patterns. Test for false positives in your environment first.

HalilFour: VMware ESXi — enable Lockdown Mode, enforce strict VLAN segmentation per tenant, monitor VMware advisories daily. Accept that these are weak compensations until the patch lands. Five: Microsoft Authenticator — check MSRC advisory for CVE 2026 41615, update all managed devices to confirmed patched versions. Six: Crypto bridges and exchanges — coordinate immediately on the Verus attacker wallet before funds fragment. Seven: Financial institutions using biometric KYC — assess your liveness detection vendor today, implement callback verification and randomized challenges, obtain legal review of DPDP Act and AI Act obligations.

HalilWhat we'll be watching tomorrow: whether VMware or Microsoft release emergency guidance ahead of the ninety-day window, any movement on the Verus attacker wallet, and whether the NGINX exploitation widens in scope.

HalilThat's it for today's CyberDaily Threatcast. Stay safe. See you tomorrow. Thanks to Blue Cortex AI for sponsoring today's episode. Autonomous SOC, real reasoning, no black box. bluecortex.ai.

Episodes

Wed20May

Exploitation Overtakes Credentials: The DBIR Inflection Point

34:4711 sc

Tue19May

pgcrypto's Twenty-Year Debt, Storm-2949's Invisible Breach, and the @antv Worm

33:4910 sc

Mon18May

47 Zero-Days, No Patches: Pwn2Own Berlin's Reckoning

30:2910 sc

NOW PLAYING

Sun17May