TBA 2026
Get ready for the 2026 ZeroDay.cloud vulnerability hacking competition.
Ongoing CTF Challenge
Join our monthly CTF challenge! Go hands-on with real-world cloud security scenarios.
Dec 10-11, 2025
11 critical zero-day exploits demonstrated live on stage.
Zero-Days Found
Researchers
Prizes Awarded
CTF Challenges
Technical writeups from elite researchers who discovered critical zero-day vulnerabilities.
View All WriteupsA use-after-free inside Redis's blocking-client code path allows an authenticated user to execute arbitrary OS commands. Discovered by Xint Code and demonstrated at ZeroDay.Cloud 2025.
Team Xint Code
Jun 2DarkReplica is a post-authentication Use-After-Free in Redis's replication subsystem. By abusing master-replica synchronization during a running Lua script, the freed Lua engine can be controlled to achieve arbitrary code execution.
Yoni SherezJun 2Two independent double-free bugs in Redis's RDB loading code — one in legacy zipmap conversion, one in stream consumer group deserialization — both leading to remote code execution via the RESTORE command.
Emil LernerJun 2More than just a competition. Build your reputation, earn rewards, and connect with elite security researchers.
We're a global community of security researchers, ethical hackers, and cybersecurity enthusiasts united by our passion for discovering and responsibly disclosing vulnerabilities.
From our annual conferences to local meetups, we bring together the brightest minds in security to learn, compete, and collaborate.
