Pwn2Own Ireland 2025

---

Pwn2Own Ireland 2025, hosted by Trend Micro’s Zero Day Initiative (ZDI), is being held this week in Cork, Ireland, featuring record-breaking payouts and a strong lineup of device categories and security researchers.

Event Overview

The contest, running from October 21–24, 2025, includes eight major categories such as Smartphones, SOHO Smashup (routers and NAS), Printers, Smart Speakers, and more. The total prize pool exceeds $2 million, with the single largest potential payout being $1 million for a zero-click remote code execution exploit in WhatsApp on modern flagship devices like the Samsung Galaxy S25, iPhone 16, Pixel 9, and Xiaomi Redmi 13 5G.

Day One Results

On the first day, researchers successfully exploited 34 zero-day vulnerabilities and earned $522,500 in rewards.
Highlights included:

• Team DDOS chaining eight zero-days to hack a QNAP Qhora-322 router and QNAP TS-453E NAS ($100,000 award).
• The Synacktiv, Summoning, and DEVCORE teams all gained root access on various Synology and QNAP devices, earning $40,000 each.
• STARLabs, ANHTUD, and others successfully attacked Canon printers and Sonos smart speakers, earning $50,000 collectively.

Day Two Highlights

Day two featured a total of 56 new zero-days exploited and $792,750 in payouts:

• The Summoning Team took the lead in the “Master of Pwn” leaderboard after exploiting the Samsung Galaxy S25 using a 5-bug chain, earning $50,000.
• Other successful exploits targeted Synology NAS, QNAP, Philips Hue Bridge, Amazon Smart Plug, and Home Assistant Green devices.

Key Contest Categories

According to the official rules, major exploit targets include:

• Zero-click or one-click RCE on WhatsApp across leading smartphones.
• Local privilege escalation, sandbox escapes, and sensitive data access in mobile and IoT platforms.
• Proximity and network surface attacks against SOHO equipment and AR/VR devices like Meta Quest and Ray-Ban Meta Glasses.

Complete List of Devices and Exploits by Category

SOHO Smashup (QNAP Routers & NAS)

• QNAP Qhora‑322 Router and QNAP TS‑453E NAS:
  Exploited using an 8‑bug chain via WAN interface by Team DDOS – $100,000, 8 Master of Pwn points.
• QNAP TS‑453E:
• Hard‑coded credentials and injection (Summoning Team) – $20,000.
• Code injection flaw (Chumy Tsai, CyCraft) – $20,000.
• Multiple injections + format string (DEVCORE) – $40,000.
• Single reused bug (collision) – several teams earned reduced payouts of $10,000.

NAS Devices

• Synology BeeStation Plus – Root access exploit (Synacktiv Team) – $40,000.
• Synology DiskStation DS925+ – Authentication bypass (Verichains Team) – $20,000.
• Synology ActiveProtect Appliance DP320 – Two‑bug root chain (Summoning Team) – $50,000.

Printers

• Canon imageCLASS MF654Cdw – Out‑of‑bounds write bug (PHP Hooligans) and integer overflow (Team Neodyme) – each $10,000.
• Lexmark CX532adwe –
• Type confusion bug (Team Cluck) – $20,000.
• Path traversal + search path hijack (Interrupt Labs, ran Doom on screen) – $10,000.
• Heap overflow variant (Team Viettel, partial collision) – $7,500.

Smartphones

• Samsung Galaxy S25 –
• Five‑bug chain attack (Summoning Team) – $50,000.
• Improper input validation enabling camera and location takeover (Interrupt Labs) – $50,000.
• Further attempts on iPhone 16 and Pixel 9 scheduled without successful proof of concept reported.

Smart Home & IoT

• Philips Hue Bridge –
• Auth bypass, underflow (Xilokar) – $17,500.
• Authentication algorithm flaw (Kinnay) – $13,500.
• Heap buffer overflow (Thalium Team) – $13,500.
• Crypto bypass + heap overflow (Viettel Cyber Security) – $20,000.
• SSRF + weak storage + collision issue (Team ANHTUD) – $16,750.
• Sonos Era 300 Smart Speaker – Remote compromise (STARLabs) – $50,000.
• Home Assistant Green – Gained root access (Rapid7) – $40,000.
• Amazon Smart Plug – Attempt withdrawn (CyCraft Technology).

Surveillance Systems

• Ubiquiti AI Pro Camera – Dual‑bug exploit (Synacktiv) – $30,000.

Messaging & Wearables

• WhatsApp Zero‑Click RCE – No successful attempt; $1 million prize remains unclaimed.
• Meta Quest 3S – Failed attempt, only achieved DoS (Inequation CTF Team).

Notable Entrants

Teams participating include Summoning Team, Synacktiv, STARLabs, Team DDOS, DEVCORE, and Team Neodyme – many of whom are veteran winners of prior Pwn2Own events.

As of day two, The Summoning Team holds the top position in the leaderboard, but with the WhatsApp $1 million exploit still pending, the final day may bring dramatic shifts in rankings.