In an event that once again redefined the boundaries of vulnerability research and offensive security prowess, Pwn2Own Ireland 2025 concluded with over $1 million awarded to cybersecurity researchers. Over the course of three days, participants discovered and exploited 73 unique zero-day vulnerabilities across a diverse range of devices—from flagship smartphones to smart home systems and network infrastructure.
Organized by the Zero Day Initiative (ZDI) and co-sponsored by Meta, Synology, and QNAP, the event took place in Cork, Ireland from October 21 to 23. With $1,024,750 in awarded bounties, the competition spotlighted critical flaws in technologies consumers and enterprises rely on daily, amplifying ongoing concerns around zero-day exploits and the need for proactive remedy strategies.
Expanding the Attack Surface in Pwn2Own Ireland 2025
The 2025 event featured eight exploit categories, with several new rules and technical challenges pushing researchers to innovate.
Among the targeted platforms were:
- Flagship smartphones: Apple iPhone 16, Samsung Galaxy S25, and Google Pixel 9
- Messaging applications, including a zero-click exploit category for WhatsApp
- Home networking equipment and smart home devices
- Network-attached storage (NAS) systems
- Surveillance equipment and printers
- Wearable technology, such as Meta Ray-Ban Smart Glasses and Quest 3/3S headsets
One key update in this year’s Pwn2Own was the expansion of attack vectors in the mobile category. Besides traditional wireless protocols—Wi-Fi, Bluetooth, and NFC—researchers were also challenged to exploit devices through USB port access on locked phones. This shift marked a significant move toward more complex physical-layer attacks.
Another major milestone: the ZDI introduced a special $1 million bounty for a WhatsApp zero-click exploit, potentially the most coveted target for adversaries and defenders alike.
Dominant Teams and Most Impactful Exploits
The competition was fierce, but a trio of teams stood out.
The Summoning Team Leads with 22 Points and $187,500 Earned
The Summoning Team secured the coveted “Master of Pwn” title by combining technical depth with tactical breadth. Their successful targets included:
- Samsung Galaxy S25 smartphone
- Synology DiskStation DS925+ NAS
- Synology ActiveProtect DP320 NAS drive
- QNAP TS-453E NAS
- Synology CC400W camera
- Home Assistant Green smart home controller
Notably, their members—Ken Gannon and Dimitrios Valsamaras—also chained five security vulnerabilities to compromise the Galaxy S25 on Day 2, earning both $50,000 and critical leaderboard points.
Team DDOS and Team Synacktiv Also Make Strong Showings
On Day 1, Bongeun Koo and Evangelos Daravigkas of Team DDOS showcased an eight-flaw exploit chain to compromise a QNAP Qhora-322 Ethernet wireless router and pivot to a QNAP TS-453E NAS—netting them $100,000 and 8 points. This formidable exploit positioned them second on the leaderboard at the time.
Synacktiv Team, meanwhile, consistently delivered exploits across multiple devices such as the Synology DS925+ and the Phillips Hue Bridge. Other groups like PHP Hooligans, CyCraft Technology, Verichains Cyber Force, and STARLabs made key contributions on both Days 2 and 3.
Volume and Velocity: A Showcase of Technical Mastery
Over the course of three days, researchers discovered:
- 34 zero-days on Day 1, totaling $522,500 in payouts
- 22 additional zero-days on Day 2, yielding $267,500
- The remainder of vulnerabilities and final rankings announced on Day 3
Each exploit was demonstrated live before an audience and validated by ZDI engineers. Vendors now have a 90-day window to issue patches before ZDI proceeds with public disclosures.
Significant Exploits and Real-World Implications
From rapid exploits to critical smart device hacks, the vulnerabilities unearthed at Pwn2Own Ireland 2025 raise critical concerns for defenders.
Among the standout exploits:
- One-second hack : PHP Hooligans exploited a known flaw in the QNAP TS-453E NAS in record time, although it had been used previously.
- Multi-vendor printer compromises : Devices like the Canon imageCLASS MF654Cdw and Lexmark CX532adwe were shown to be vulnerable multiple times by various teams.
- IoT vulnerabilities : Smart devices including the Amazon Smart Plug, Phillips Hue Bridge, and Sonos smart speakers were all successfully compromised.
- Extended NAS coverage : Over a dozen zero-day vulnerabilities were found across various QNAP and Synology models—highlighting persistent blind spots in NAS device security.
These findings illuminate a recurring theme: common IoT, NAS, and print devices continue to present viable attack surfaces due to complex firmware, long patch cycles, and weaker security models than traditional computing platforms.
Looking Ahead: Pwn2Own Japan 2026 to Spotlight Automotive Security
Following the Cork event’s success, the next Pwn2Own contest is slated for January 2026 as part of the Automotive World technology show in Tokyo. This shift in focus signals growing urgency around vulnerabilities in connected vehicle ecosystems.
Zero-Day Exploits Trend Higher, and Pwn2Own Stays in Front
Pwn2Own Ireland 2025 succeeded in its mission—not only surfacing 73 zero-day vulnerabilities but doing so in a controlled environment that supports responsible disclosure and rapid remediation. As vulnerabilities continue to migrate toward ubiquitous consumer devices—from phones to smart home gadgets—the industry needs more programs like this that bring cutting-edge research into the public and vendor spotlight.
For defenders and CISOs, the takeaways are clear:
- High-value devices like NAS systems and mobile phones remain rich in exploitable flaws;
- Physical access vectors like USB ports are increasingly relevant and dangerous;
- Timely patching and vendor responsiveness remain critical as public disclosure timelines tighten.
With cybersecurity stakes growing each year, competitions like Pwn2Own provide valuable signal amid the noise—bringing zero-day exploits into the open before malicious actors get there first.
