The inaugural day of Pwn2Own Ireland 2025 concluded with remarkable achievements, as security researchers identified 34 unique zero-day vulnerabilities across a spectrum of smart devices. Every exploit attempt was successful, culminating in a total of $522,500 in prize money. This event, held in Cork, Ireland, from October 21 to 24, serves as a platform for elite hackers to assess and challenge the security of widely-used gadgets, including printers, routers, and smart home systems.
A standout performance was delivered by Team DDOS, comprising Bongeun Koo and Evangelos Daravigkas. They ingeniously combined eight distinct vulnerabilities, notably several injection flaws, to compromise the QNAP Qhora-322 router in conjunction with a TS-453E NAS device. This complex SOHO Smashup challenge earned them a substantial reward of $100,000 and 10 Master of Pwn points, positioning them prominently on the leaderboard.
Other notable accomplishments included Team Neodyme’s exploitation of a stack buffer overflow in the HP DeskJet 2855e printer, securing $20,000, and Synacktiv’s execution of root-level code on the Synology BeeStation Plus via a stack overflow, which garnered $40,000.
Printers emerged as a focal point for multiple attacks. STARLabs initiated this trend by leveraging a heap buffer overflow in the Canon imageCLASS MF654Cdw, resulting in a $20,000 prize. Subsequent rounds saw SHIMIZU Yutaro from GMO Cybersecurity earning $10,000 through another stack overflow on the same Canon model. Team PetoWorks exploited a release of an invalid pointer bug for an additional $10,000, and Team ANHTUD concluded the printer-focused exploits with a heap buffer overflow, also earning $10,000. These repeated successes underscore the susceptibility of everyday office printers to significant security breaches.
Smart home devices were not spared. Summoning Team’s Sina Kheirkhah utilized two vulnerabilities to achieve code execution on the Synology DiskStation DS925+, earning $40,000. Stephen Fewer from Rapid7 combined three flaws, including a server-side request forgery and command injection, to infiltrate the Home Assistant Green hub, securing another $40,000. Compass Security’s team later employed an arbitrary file write and a cleartext data leak on the same device for an additional $20,000. Meanwhile, dmdung from STAR Labs exploited an out-of-bounds access on the Sonos Era 300 speaker, claiming a $50,000 prize.
The Philips Hue Bridge was a frequent target. Team ANHTUD initiated attacks with a four-bug chain, including overflows and an out-of-bounds read, earning $40,000. Hank Chen from InnoEdge Labs followed with an authentication bypass and out-of-bounds write, securing $20,000 in the second round. Although Team DDOS withdrew their attempt on this device, the competition remained intense.
DEVCORE Research Team demonstrated exceptional skill by combining multiple injections and a rare format string bug to exploit the QNAP TS-453E, highlighting the critical need for robust security measures in network-attached storage devices.
The first day of Pwn2Own Ireland 2025 not only showcased the prowess of the global cybersecurity community but also emphasized the pressing need for manufacturers to fortify their devices against potential exploits. As the competition progresses, the anticipation for further groundbreaking discoveries continues to build.
