The Pwn2Own Ireland 2025 competition concluded with security researchers identifying 73 unique zero-day vulnerabilities across a diverse array of devices, culminating in a total of $1,024,750 in prize money. Hosted by the Zero Day Initiative (ZDI) and supported by industry leaders such as Meta, Synology, and QNAP, the event underscored the critical importance of proactive vulnerability research in today’s rapidly evolving technological landscape.
Event Overview
Spanning three days, Pwn2Own Ireland 2025 brought together top-tier security experts to test the resilience of various consumer and enterprise devices, including smart home gadgets, printers, network-attached storage (NAS) systems, and smartphones. The competition’s structure rewarded not only the discovery of vulnerabilities but also the creativity and technical prowess demonstrated in exploiting them.
Day One Highlights
The inaugural day set a high standard, with researchers uncovering 34 zero-day vulnerabilities and earning a collective $522,500. Notably, Team DDOS, comprising Bongeun Koo and Evangelos Daravigkas, executed a sophisticated attack on the QNAP Qhora-322 router and TS-453E NAS device. By chaining eight distinct vulnerabilities, including multiple injection flaws, they achieved a successful SOHO Smashup and secured a $100,000 reward along with 10 Master of Pwn points.
Printers emerged as a focal point, with multiple teams demonstrating successful exploits:
– Team Neodyme exploited a stack buffer overflow in the HP DeskJet 2855e printer, earning $20,000.
– Synacktiv achieved root-level code execution on the Synology BeeStation Plus via a stack overflow, securing $40,000.
– STARLabs utilized a heap buffer overflow to compromise the Canon imageCLASS MF654Cdw printer, receiving $20,000.
These findings highlighted the often-overlooked vulnerabilities present in everyday office equipment.
Day Two Achievements
The momentum continued into the second day, with participants discovering 56 new zero-day vulnerabilities and amassing $792,750 in rewards. A standout performance was delivered by a two-person team, Ken Gannon of the Mobile Hacking Lab and Dimitrios Valsamaras of the Summoning Team, who exploited a complex combination of five flaws to successfully hack a Samsung Galaxy S25 device. This intricate attack earned them a $50,000 prize and 5 Master of Pwn points.
Other notable exploits included:
– Chumi Tsai of CyCraft Technology compromised the QNAP TS-453E NAS device, earning $20,000.
– Verichains Cyber Force successfully attacked the Synology DS925+ NAS, securing $20,000.
– Synacktiv Team exploited the Philips Hue Bridge, receiving $20,000.
These achievements underscored the diverse range of devices susceptible to sophisticated attacks.
Final Day and Overall Results
The third and final day of the competition saw researchers demonstrating several high-impact exploits, bringing the total number of unique zero-day vulnerabilities to 73 and the cumulative prize money to $1,024,750. The Summoning Team emerged as the overall winner, claiming the coveted Master of Pwn title after submitting several impactful and original exploits throughout the competition.
Notable exploits from the final day included:
– Ben R. and Georgi G. of Interrupt Labs exploited an improper input validation flaw in the Samsung Galaxy S25, enabling unauthorized access to the camera and location tracking features. This attack earned them $50,000 and 5 Master of Pwn points.
– Chris Anastasio of Team Cluck utilized a type confusion vulnerability to gain full control over the Lexmark CX532adwe printer, securing $20,000 and 2 points.
– David Berard from Synacktiv executed a dual-bug attack on the Ubiquiti AI Pro surveillance camera, creatively incorporating the Baby Shark tune into the compromised system. This innovative exploit earned him $30,000 and 3 points.
These demonstrations not only showcased technical skill but also highlighted the potential real-world implications of such vulnerabilities.
Implications and Industry Response
The discoveries made during Pwn2Own Ireland 2025 serve as a stark reminder of the persistent and evolving nature of cybersecurity threats. The event’s success in uncovering a significant number of zero-day vulnerabilities emphasizes the need for continuous vigilance and proactive security measures by device manufacturers and software developers.
The collaboration between researchers and vendors facilitated by the competition ensures that identified vulnerabilities are addressed promptly, thereby enhancing the overall security posture of the technology ecosystem. The substantial financial rewards also underscore the value placed on ethical hacking and responsible disclosure in the cybersecurity community.
Conclusion
Pwn2Own Ireland 2025 has once again demonstrated the critical role of collaborative efforts in identifying and mitigating security vulnerabilities. The event not only rewarded technical excellence but also fostered a culture of responsible disclosure and continuous improvement in cybersecurity practices. As technology continues to advance, such initiatives remain essential in safeguarding digital assets and maintaining user trust.
