Cork, Ireland – Security researchers have demonstrated a remarkable array of exploits at teh Pwn2Own Ireland 2025 hacking competition, revealing 34 unique zero-day vulnerabilities and earning a collective $522,500 in bounties on the opening day. The event, hosted by the Zero Day Initiative (ZDI), aims to proactively identify and address security weaknesses in commonly used devices before malicious actors can exploit them.
High-profile Hacks dominate First Day
Team DDOS distinguished themselves by chaining together eight previously unknown flaws to compromise a QNAP Qhora-322 ethernet wireless router, ultimately gaining access to a QNAP TS-453E Network Attached Storage (NAS) device. This complex sequence of exploits secured them a $100,000 reward and currently places them in second position on the Master of Pwn leaderboard with eight points. This achievement underscores the increasing sophistication of modern cyberattacks.
several other teams also secured substantial bounties. Synacktiv Team, along with Sina Kheirkhah of the Summoning Team, the DEVCORE Team, and Stephen Fewer of Rapid7, each received $40,000 for successfully gaining root access to a synology BeeStation Plus, a Synology DiskStation DS925+, the QNAP TS-453E, and a Home Assistant Green device, respectively. These successes highlight the vulnerabilities present in diverse smart home and network storage solutions.
Diverse Devices Under Scrutiny
Researchers targeted a wide range of devices throughout the day. STARLabs, in collaboration with Team PetoWorks, team ANHTUD, and ierae researchers, demonstrated multiple successful attacks against the Canon imageCLASS MF654Cdw multifunction laser printer. STARLabs also compromised the Sonos Era 300 smart speaker, earning an additional $50,000.Meanwhile, Team ANHTUD exploited a flaw in the Phillips Hue Bridge, taking home a $40,000 reward.
The Summoning Team, comprised of sina Kheirkhah and McCaulay Hudson, leveraged a two-stage exploit chain to achieve root access on a Synology ActiveProtect Appliance DP320, adding another $50,000 to their earnings. The Summoning Team currently leads the Master of Pwn leaderboard with 11.5 points, having amassed a total of $102,500 in rewards during the first day of the competition.
Expanding Attack Surfaces and the Importance of Disclosure
This year’s Pwn2Own Ireland expanded its scope to include physical attack vectors, notably through USB ports on mobile handsets. This addition complements existing wireless attack methods like Bluetooth,Wi-Fi,and Near Field Communication (NFC). This reflects a growing recognition that physical access remains a viable pathway for attackers.
The ZDI’s approach emphasizes responsible disclosure. Vendors are given a 90-day window to release security updates following the demonstration of a zero-day flaw, before the vulnerability details are made public. This coordinated process allows for proactive patching and reduces the risk of widespread exploitation.
| Device | Vulnerability | Reward | Team |
|---|---|---|---|
| QNAP Qhora-322/TS-453E | Chained 8 Zero-Days | $100,000 | Team DDOS |
| Synology BeeStation Plus | Root Access | $40,000 | synacktiv Team |
| Synology DiskStation DS925+ | Root Access | $40,000 | Sina Kheirkhah (Summoning Team) |
| QNAP TS-453E | Root Access | $40,000 | DEVCORE Team |
| Home Assistant Green | Root Access | $40,000 | Stephen Fewer (Rapid7) |
Did you no? The Pwn2Own Ireland contest has consistently revealed a high volume of zero-day vulnerabilities each year, demonstrating the ongoing need for robust security testing and proactive vulnerability management.
Pro Tip: Keep your devices updated with the latest security patches to protect against known vulnerabilities. Enable automatic updates whenever possible and regularly check for updates manually.
What’s Next and the Million-Dollar WhatsApp Challenge
Day two of Pwn2Own Ireland continues with researchers focusing on network-attached storage, printers, smart home devices, surveillance systems, and the Samsung Galaxy S25 mobile phone. A significant incentive is also on the table: a $1 million reward awaits anyone who can demonstrate a zero-click exploit for WhatsApp, allowing code execution without any user interaction. Meta, QNAP, and Synology are co-sponsoring this year’s event.
Last year’s Pwn2Own Ireland event saw researchers earn over $1,078,750 for discovering more than 70 zero-day vulnerabilities. The ZDI will also return to Tokyo in January 2026 for its third Pwn2Own Automotive contest, with Tesla again participating as a sponsor.
The growing Importance of Zero-Day Hunting
The relentless pursuit of zero-day vulnerabilities is paramount in today’s threat landscape. As attackers become more elegant,identifying and mitigating these previously unknown weaknesses is crucial for protecting systems and data. Events like Pwn2Own Ireland play a vital role in this process,incentivizing researchers to find and responsibly disclose vulnerabilities before they can be exploited by malicious actors.According to a 2024 report by Cybersecurity ventures, the global cost of cybercrime is predicted to reach $10.5 trillion annually by 2025, highlighting the critical need for proactive security measures.
Frequently Asked Questions About Zero-Day Vulnerabilities
- What is a zero-day vulnerability? A zero-day vulnerability is a software flaw that is unknown to the vendor and has no available patch, making systems susceptible to attack.
- Why are zero-day exploits so perilous? Because no patch exists, attackers can exploit these vulnerabilities without facing immediate resistance.
- What is the Zero Day Initiative (ZDI)? The ZDI is a program that coordinates the responsible disclosure of vulnerabilities, providing a platform for researchers to report flaws and vendors to address them.
- How does Pwn2Own help improve security? Pwn2Own events incentivize researchers to discover and demonstrate vulnerabilities in real-world devices, pushing vendors to improve their security practices.
- What is responsible disclosure? Responsible disclosure involves reporting a vulnerability to the vendor, giving them time to develop a patch, and then publicly disclosing the details after a reasonable period.
- Are smart home devices vulnerable to zero-day exploits? Absolutely. As demonstrated at Pwn2Own Ireland, smart home devices are often targets due to their complexity and potential access to sensitive data.
- What can I do to protect myself from zero-day exploits? Keep your software updated,use strong passwords,and practice safe browsing habits.
What are your thoughts on the increasing frequency of zero-day exploits? Share your concerns and security tips in the comments below!
