TL;DR Three Pwn2Own competitions in 2025 (Tokyo, Berlin, Cork) resulted in 150 zero-day vulnerability disclosures across automotive, enterprise, and consumer IoT systems, with $2,989,750 awarded to researchers. Key findings: Memory corruption (45%): 68 instances of buffer overflows (CWE-787, CWE-121/122), use-after-free (CWE-416), integer overflows (CWE-190), and type confusion (CWE-843) Injection attacks (30%): 45 instances of command injection (CWE-78) and format string vulnerabilities (CWE-134) Authentication failures (13%): 20 instances including hard-coded credentials (CWE-798), missing authentication (CWE-306), and authentication bypasses (CWE-287) Notable exploits:

Hot take: Most “secure” cloud deployments are just expensive theater. You’ve got firewalls, access controls, endpoint protection - but what if someone compromises your bootloader before any of that even starts? This isn’t theoretical. Real attackers are targeting the boot process, hypervisors, and kernel-level compromises that happen before your security stack loads. Your fancy SIEM won’t help if the system reporting to it has been compromised from day one. The Trust Problem No One Talks About Here’s what keeps me up at night: How do you trust a system you can’t physically touch?