Ant Group's Tianqiu Light-Year Security Research Team Wins Tianfu Cup International Cybersecurity Competition with Groundbreaking Exploits

On November 1, the premier hacking contest "Tianfu Cup" 2023 International Cybersecurity Competition concluded in Chengdu, organized by the Ministry of Public Security together with leading institutions such as Tsinghua University, the National Industrial Information Security Development Research Center, and Beijing Zhongguancun Laboratory.

The event attracted a record 62 teams, featuring white‑hat hackers from top domestic and overseas labs who tackled attack‑defense challenges across security devices, office software, cloud services, mobile platforms, operating systems, browsers, and virtualization.

The Ant Group Tianqiu Light-Year Security Research Team won the "Best Product Cracking First Prize" and the overall championship. Their achievements included five breakthrough exploits: a VMware ESXi virtual‑machine escape, Chrome remote code execution, Adobe Reader remote code execution, Windows 11 privilege escalation, and WPS remote code execution.

Highest‑difficulty achievement: VMware ESXi virtual‑machine escape

VMware ESXi is a core component of cloud computing; escaping its sandbox grants control over the entire host server and all guest VMs. After two years without a public escape, the team leveraged a severe ESXi vulnerability, crafted a novel exploitation chain, performed precise memory manipulation, achieved arbitrary code execution inside the sandbox, and then broke out to obtain full physical‑machine privileges, earning the "Most Valuable Product Cracking" award.

Ancient vulnerability exploited for Chrome remote code execution

Team member Huang Xilin discovered a Chrome vulnerability that had existed for at least ten years. Despite recent mitigation mechanisms, he bypassed them with a unique technique, enabling remote code execution simply by clicking a malicious link in the browser.

World‑first bypass of Adobe Reader's new defense

Researchers Ying Xinlei and Zhang Ziming used a two‑stage attack on Adobe Reader: first, they exploited a newly discovered sandbox‑escape vulnerability that overcame Adobe's recent memory‑isolation defense, achieving arbitrary code execution inside the sandbox; second, they leveraged a Windows kernel flaw to gain system‑level privileges, marking the first public break of Adobe Reader's latest protection.

Beyond competition success, the Tianqiu Lab continuously translates its research into practical security platforms, such as a multi‑dimensional intelligent risk mining system and a continuous risk verification platform, which automate threat simulation and vulnerability discovery for both internal and external stakeholders. The lab commits to advancing offensive‑defensive techniques to protect Ant Group and the broader ecosystem.