VMware Hacked As $150,000 Zero-Day Exploit Dropped

Pwn2Own hackers use $150,000 exploit on VMware ESXi.
The elite hackers attending Pwn2Own in Berlin have made hacking history by successfully deploying a zero-day exploit against VMware ESXi. Having already made the headlines with no less than three zero-days compromising Windows 11 on day one of the hacking competition, day two kept the security surprises well and truly coming. Here's what you need to know.
Organizations have had a lot to digest regarding enterprise technology security issues over the last few weeks. What with the U.S. Cybersecurity and Infrastructure Security Agency urging them to ensure they are protected against a high-severity Chrome vulnerability already being exploited in the wild, HTTPBot attackers targeting business Windows networks, and Microsoft confirming a critical 10/10 cloud security vulnerability. You might think that the news of VMware ESXi being hacked using a $150,000 zero-day exploit is the icing on the security nightmare cake, but you couldn't be more wrong.
Context is everything, and the context here is the environment in which that zero-day was dropped. Pwn2Own is a twice-yearly hackathon where some of the world's leading hackers come together in friendly competition to see who can hack products and services, within strict time limits, using never-before-seen zero-day exploits, and earn the title Master of PWN. The good news is that this is all above board and legal. Remember that hacking is not a crime, folks, and the products and services being hacked have been submitted by the vendors for the purposes of discovering vulnerabilities before cybercriminals do.
In the case of the VMware ESXi zero-day exploit, this was the first time in Pwn2Own's history, stretching back to 2007, that the hypervisor has been successfully exploited. The hacker behind the achievement, Nguyen Hoang Thach, who is part of the STARLabs SG team, was able to deploy a single integer overflow exploit. This earned them a not-too-shabby reward of $150,000 on the spot, as well as 15 valuable points towards the coveted Master of PWN title.
I have reached out to Broadcom for a statement regarding the VMware ESXi zero-day at Pwn2Own, and will update this article should one be available.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

Forbes

39 minutes ago

• Forbes

Silicon Valley's Leadership Lessons

Leadership lessons from Silicon Valley for future readiness Mature organizations lose their vitality. Complex organizations lose their responsiveness. Successful incumbent market leaders, because they are typically both mature and complex, lose their charm, and become endangered. Not surprisingly, there has long been a search for ways to restore vigor and zest to such organizations. Inevitably, when such discussions arise, the success of Silicon Valley is cited as an alternative example of both energy and imagination; of being able to move fast and change things in a big way. The recent DOGE (Department of Government Efficiency) initiative is one such effort. The advertised idea was to learn from the 'new economy,' and apply those lessons learned to large, bureaucratic, government agencies. That this does not appear to have happened is probably due more to chaotic execution and the mischief of ideologues than to a failure in the promise of Silicon Valley as an organizing inspiration for the rest of us. Not entirely coincidentally, the UK's Advanced Research and Invention Agency (ARIA) is another example. Inspired, in part, by the American Defense Advanced Projects Research Agency (DARPA), which, established in 1958 in response to the Soviet Union's Sputnik, has continually played an influential role in Silicon Valley successes, ARIA's American born Ilan Gur sees his organization as a means of supporting UK innovation, which he refers to as a 'tightly wound spring that's ready to release'. What is it, then, about Silicon Valley that leads it to be seen as a source of managerial lessons for organizational success, and what might those lessons be? To answer these questions, I took the opportunity to interview an old friend and IMD colleague, Jim Pulcrano, engineer, entrepreneur, academic, and who for over 25 years has been an observer of Silicon Valley's inner workings, leading more than 80 executive explorations of the Valley in search of such lessons. What follows is a sense of what leadership lessons Silicon Valley might offer those of us who work in mature, old-economy, industries, and especially those of us associated with successful, incumbent, market-leaders, in such industries: Thinking Differently Jim Pulcrano: I think that the Silicon Valley lessons all begin with one word: '"urgency." Mature firms often become comfortable—they've grown strong, built moats, have big balance sheets. But that comfort is a trap. Silicon Valley thrives on discomfort. Everyone there is asking, 'What's next?' and 'How fast can I disrupt myself before someone else does?' Bill Fischer: And how does that urgency manifest itself? Pulcrano: Through relentless questioning. The best innovators don't start with answers—they start with better questions. What if we made a 10X improvement, not 10%? What if we killed our core product before someone else did? What if our future doesn't look like our past? Fischer: This is a dramatically different way of thinking than we typically see in more traditional organizations. Pulcrano: Revitalization requires daring and courage. Mature companies often cling to what worked in the past; the leaders usually built their legacies on products and systems that have outlived their utility and should be disrupted. In contrast, Silicon Valley is all about 'dream big or stay home.' It teaches us that innovation isn't about fine-tuning yesterday's model—it's about asking bold, even uncomfortable, questions. That culture of relentless curiosity that we hear about so often; it's gold. Fischer: So, it's about more than simply having a flashy R&D team? Pulcrano: Exactly. You need a network that nourishes innovation—not just exploits it. One important lesson is that in the Valley geographic proximity makes a difference. Everything is tightly packed together: venture capital, prototyping labs, universities, and legal experts. Ideas bounce around fast. That 'proximity stew' keeps innovation alive. For incumbents, the question becomes: how do we recreate that bubbling ecosystem internally? In a mature company, you've got to mimic that intensity. Create idea collisions. Flatten silos. Interest engineers in talking to marketers, finance to R&D. In Silicon Valley, the network is the superpower. People move freely—from startup to corporate, from VC to academia, then back. The real learning happens in the spaces between. Incumbents need to stop thinking in organizational charts and start thinking in ecosystems. Who do your innovators know outside your organization? What cross-pollination is happening? Who is the go-to person on X? Are you one of them? Leadership lessons Fischer: how different is the practice of leadership in such organizations? Pulcrano: First, leaders must normalize failure. In the Valley, failing fast and moving on is a badge of honor. Max Levchin, Elon Musk's Paypal cofounder, struggled with his first four startups struggled (and mostly failed). The fifth was PayPal. Most legacy firms? They'd have fired him after the second flop. Fischer: Failure becomes data? Pulcrano: Exactly. In the Valley, failure isn't the opposite of success—it's part of the process. That's a cultural shift. Leaders must model that by sharing their own missteps. Celebrate intelligent risk-taking, not just polished outcomes. Nobody wants to fail, it's f**king awful, but if you're trying to do something new, whether it be the technology, the business model or some combination, failure is likely, so learn from it. Second, diverse thinking isn't a bonus—it's a baseline. The best decisions in VC firms often come after heated debates. The VC firm Greylock Partners has even studied this—their biggest wins were investments that triggered the fiercest internal arguments. So if your executive team always agrees, you're in trouble. Fischer: That's quite a departure from many boardrooms; it reminds me of the adage: 'polite teams get polite results.' Pulcrano: It is. And that leads to another principle: permissionless innovation. In the Valley, junior people prototype without asking for five layers of approval. Those prototypes could be products or sales models. Leaders should ask themselves: "Am I enabling action, or am I an obstacle?" Fischer: What does that look like in practice? Pulcrano: One example is Google X. When a moonshot project failed—after years and millions invested—the team that shut it down got a bonus. Why? Because they made the right call. They stopped something that wasn't going to work and freed resources for better bets. Does Culture Really Eat Strategy for Breakfast? Fischer: Peter Drucker famously told us that 'culture eats strategy for breakfast,' so I'm interested in what you think about organizational culture, and how important it is for success in Silicon Valley? Pulcrano: A few things about culture: First: optimism. Even when Silicon Valley Bank [SVB] collapsed, in 2023, the Valley shrugged and poured money into AI startups the next week. That attitude? 'What if it works?'—it's infectious. Second: role models. Everyone in the Valley knows someone who built something, or at least tried. That proximity to success makes ambition feel doable. Third: constructive promiscuity. At a typical Valley barbecue, people swap business cards before burgers. It's not impolite—it's expected. Fischer: Am I right in thinking that the way you see it in Silicon Valley is that a lot of culture is tactical? Pulcrano: In the Valley, it's curiosity and opportunity rolled together. Everyone is 'on the make' always, but everyone is also looking to help, invest, and collaborate. That ethos is powerful. But it can fade—especially as wealth accumulates, risk aversion creeps in, and firms become protectionist. What does the Future of Silicon Valley Look Like? Fischer: I'm in interested in how durable these lessons might be? Silicon Valley has dominated for over fifty years. But can it continue? What might the next fifty look like? Pulcrano: That's a provocative question. I'm optimistic, but cautiously so. Silicon Valley's strength has always been reinvention. Semiconductors, personal computing, the internet, biotech, social media, AI—wave after wave. Each time, it adapted. But now? Fischer: You're not convinced? Pulcrano: I'm seeing signs of incumbent behavior. Some of the giants—Google, Meta, Apple—are acting like the very firms they once disrupted. Risk-averse. Bureaucratic. More lawyers than engineers. That's worrying. Fischer: So, what would it take to stay relevant? Pulcrano: It needs fresh blood. And that's under threat. Immigration policies, visa restrictions—they're slowing down the global talent pipeline. Remember, 60% of the Valley's tech workforce isn't U.S.-born. Choke that off, and the Valley stops breathing. Fischer: So, the magic is in the mix? Pulcrano: Always has been. People come not just from Harvard and MIT, but from India, China, Nigeria, Slovenia. They bring their ambitions, the chips on their shoulders. That stew of dreams and hunger—that's Silicon Valley's secret sauce. Fischer: Can other regions replicate the magic of Silicon Valley? Pulcrano: Not exactly, but they can recreate parts of it. You need three ingredients: talent, money, and ideas, and they must come together efficiently. But it's the efficiency with which you mix them that makes the difference. Fischer: That efficiency being? Pulcrano: Access. In the Valley, the customer, the VC, the tech shop, the legal expert—they're all accessible within 30 minutes. You pitch an idea at breakfast, and prototype it by dinner. That's hard to reproduce in sprawling ecosystems or hierarchical, process-driven multinationals. Fischer: How can incumbents inside large firms imitate that? Pulcrano: Start small. Create internal innovation hubs where people are free to experiment. Kill bureaucracy. Protect intrapreneurs. Build a real network of mentors. Most importantly, ensure sharing and success are incentivized. If ideas stay locked in departments, or behind IP walls, you've already lost. Final Thoughts Fischer: This has all been very interesting! If you could leave our readers with one challenge—especially leaders in mature firms—what would it be? Pulcrano: Ask yourself: 'Am I creating a space where innovation is possible, or merely tolerated?' Then look around. If your team is afraid to disagree, if failure is punished, if new ideas die in PowerPoint—your culture needs rewiring. And, if you are wondering whether you need to go to California to do this: you don't. The Valley isn't a place—it's a mindset. You just need to think like a rebel—and surround yourself with others who will, too.

Yahoo

an hour ago

• Yahoo

Why You Should Never Click Old Discord Invite Links

If you've received an invite link to Discord but never used it to join that specific server, don't click through it weeks or months later. As Bleeping Computer reports, hackers have repurposed Discord invite links that have expired or been deleted to deliver malware, including infostealers and keyloggers. How Discord links are spreading malware The malware campaign, identified by Check Point Research, capitalizes on a flaw in how Discord handles invite links, which can be temporary or permanent or, for paid servers with Level 3 Boost status, customized. URLs to join regular Discord servers are randomly generated and unlikely to ever repeat, but vanity links—as well as expired temporary invite links and deleted permanent invite links—can be claimed and reused. Discord also allows invite codes with uppercase letters to be recycled in vanity links with lowercase letters while the original is still active. This means that hackers can redirect users to malicious servers via links originating from legitimate Discord communities. These links are being shared on social media and official community websites. When a user clicks the stolen link, they land on a Discord server that looks authentic and prompts them to verify their identity to unlock access. The verification link launches a ClickFix web page, which indicates that a (fake) CAPTCHA has failed to load and directs the user to "verify" by manually running a Windows command. This executes a PowerShell script, which downloads and installs the malware. The payload itself may include malicious programs—like AsynchRAT, Skuld Stealer, and ChromeKatz—that allow keylogging, webcam or microphone access, and infostealing to harvest browser credentials, cookies, passwords, Discord tokens, and/or crypto wallet data. According to Check Point's analysis, the malware has numerous features that allow it to evade detection by antivirus tools. The report also notes that while Discord took action to mitigate this specific campaign, the risk of similar bots or alternative delivery methods still exists. How to avoid malicious Discord links First and foremost, be wary of old Discord invite links, especially those posted on social media or forums weeks or months back. (Temporary invite URLs on Discord can be set to expire within 30 minutes or up to a default of seven days.) Don't click links from users you don't know and trust, and request a new invite rather than relying on an old one. You should use caution when engaging with verification requests, especially those that prompt you to copy and run manual commands on your device. ClickFix attacks via fake CAPTCHA requests abound, and any verification that tells you to execute a Run command is not legit. If you run a Discord server, use permanent invite links, which are harder to steal and repurpose than temporary or custom URLs.

Yahoo

2 hours ago

• Yahoo

Week in Review: Meta reveals its Oakley smart glasses

Welcome back to Week in Review! Lots in store for you today, including Wix's latest acquisition, Meta's new smart glasses, a look at the new Digg, and much more. Have a great weekend! Smart specs: Meta and Oakley have teamed up on a new pair of smart glasses that can record 3K video, play music, handle calls, and respond to Meta AI prompts. They start at $399 and have double the battery life of Meta's Ray-Bans. A $499 limited-edition Oakley Meta HSTN model will be available starting July 11. Unicorn watch: Wix bought 6-month-old solo startup Base44 for $80 million in cash after it quickly gained traction as a no-code AI tool for building web apps. Created by a single founder and already profitable, Base44's rapid rise made scooping it up irresistible. Sand to the rescue: Finland just turned on the world's largest sand battery — yes, actual sand — which stores heat to help power the small town of Pornainen's heating system and cut its carbon emissions. The low-tech, low-cost system is built from discarded fireplace soapstone, is housed in a giant silo, and can store heat for weeks, proving you don't need fancy lithium to fight climate change. You just need a pile of hot rocks. This is TechCrunch's Week in Review, where we recap the week's biggest news. Want this delivered as a newsletter to your inbox every Saturday? Sign up here. We're back, baby: VanMoof is back from the brink with the S6, its first e-bike since bankruptcy — and it's sticking to its signature custom design, despite that being what nearly killed the company. Backed by McLaren tech and a beefed-up repair network, the new VanMoof promises smoother rides, smarter features, and (hopefully) fewer stranded cyclists. Space lasers: Baiju Bhatt, best known for co-founding Robinhood, is now building lasers in space. His new startup, Aetherflux, has raised $60 million to prove that beaming solar power from orbit isn't a fantasy, with a demo satellite set to launch next year and early backing from the Department of Defense. Oh no: One of SpaceX's Starship rockets exploded during a test in Texas, likely pushing back the vehicle's next launch, which had been tentatively set for June 29. SpaceX says the blast, caused by a pressurized tank failure, didn't injure anyone, but it's yet another setback in a rocky year for the company's ambitious mega-rocket program. That lossless feeling: Spotify's long-awaited lossless audio tier still hasn't launched, but fresh hints buried in the latest app code suggest that it's under active development and could be closer than ever. But with years of delays and no official timeline, fans might want to temper their excitement until Spotify confirms the rollout. I can Digg it: Digg's reboot has entered alpha testing with a fresh iOS app aimed at becoming an AI-era Reddit alternative. The app offers a clean, simple design with curated communities, AI-powered article summaries, and gamified features like 'Gems' and daily leaderboards. We want you: The U.S. Navy is speeding up how it works with startups, cutting red tape and zeroing in on real wins like saved time and better morale. Department of the Navy CTO Justin Fanelli says it's leading with problems, hunting for game-changing tech in AI, GPS, and system upgrades. And with Silicon Valley finally paying attention, the Navy's becoming a go-to partner for innovators ready to shake things up. Cash ain't king: Mark Zuckerberg is throwing out massive cash — up to $100 million — to lure top AI talent from OpenAI and DeepMind. But OpenAI's Sam Altman says none of his key people have bitten, praising his team's mission over money. Meanwhile, OpenAI keeps pushing ahead with new AI models and even hints at launching an AI-powered social app that could outpace Meta's own shaky attempts. San Francisco's latest startup saga? Cluely's after-party for YC's AI Startup School blew up on Twitter, drawing 2,000 party crashers, but it became the 'most legendary party that never happened' after getting shut down by cops before a single drink was spilled. Founder Roy Lee's viral marketing may have promised chaos, but the real party's waiting. Maybe once the weather warms up?