The Pwn2Own Ireland 2025 hacking competition wrapped up with security researchers earning $1,024,750 in cash awards after they successfully exploited 73 zero-day vulnerabilities.
At Pwn2Own Ireland 2025, competitors targeted products in eight categories, including printers, network storage systems, messaging apps, smart home devices, surveillance equipment, home networking equipment, flagship smartphones (Apple iPhone 16, Samsung Galaxy S25, and Google Pixel 9), and wearable technology such as Meta’s Ray-Ban Smart Glasses and Quest 3/3S headsets.
This year’s contest expanded the attack surface even further by adding USB port exploitation on mobile handsets, challenging researchers to hack locked devices through a physical connection. Meanwhile, traditional wireless protocols—including Bluetooth, Wi-Fi, and NFC (near-field communication)—remained valid attack vectors throughout the competition.
The hacking contest, co-sponsored by Meta, QNAP, and Synology, ran from October 21 to October 23 in Cork, Ireland.
Summoning Team dominated this year’s edition of Pwn2Own Ireland, earning 22 Master of Pwn points and $187,500 over the three-day event. They achieved their victory by hacking the Samsung Galaxy S25, Synology DiskStation DS925+ NAS, Home Assistant Green, Synology ActiveProtect Appliance DP320 NAS drive, Synology CC400W camera, and QNAP TS-453E NAS device.
Team ANHTUD followed in second place with $76,750 and 11.5 Master of Pwn points, while Team Synactiv claimed third place, taking home $90,000 in prizes and 11 Master of Pwn points.
Final Pwn2Own leaderboard (ZDI)
On the first day of Pwn2Own Ireland, hackers exploited 34 unique zero-days and earned $522,500 in cash awards. During the second day, participants demonstrated 22 more unique zero-day vulnerabilities, collecting $267,500 in total prizes.
Even Samsung
The final day’s highlight came when the Samsung Galaxy S25 fell to Interrupt Labs’ team, who used an improper input validation bug to breach the device. They earned 5 Master of Pwn points and $50,000, while also enabling location tracking and the camera during their exploit.
Although Team Z3 had planned to demonstrate a WhatsApp Zero-Click remote code execution zero-day—a hack eligible for a $1 million reward—they withdrew from the competition. Instead, they chose to disclose their findings privately to ZDI analysts before sharing their research with Meta’s engineering team.
The Zero Day Initiative (ZDI) organizes this annual contest to uncover security vulnerabilities before threat actors can exploit them, ensuring responsible disclosure with affected vendors.
After researchers demonstrate zero-days at Pwn2Own, vendors have 90 days to release patches before Trend Micro’s ZDI publicly discloses the vulnerabilities.
Looking ahead, in January 2026, the ZDI will return to the Automotive World technology show in Tokyo, Japan, for the third Pwn2Own Automotive contest, once again sponsored by Tesla.
Source: BleepingComputer, Sergiu Gatlan
Read more at Impreza News
