Million-Dollar Payday: Hackers Score Big with 73 Zero-Days at Pwn2Own Ireland

Welcome to Pwn2Own Ireland 2025: A Recap of the Hacking Competition

​The recently concluded Pwn2Own Ireland 2025 hacking competition saw security researchers walk away with a staggering $1,024,750 in cash prizes after successfully exploiting 73 zero-day vulnerabilities.

Participants at Pwn2Own Ireland 2025 targeted a wide range of products across eight categories, including printers, network storage systems, messaging apps, smart home devices, surveillance equipment, home networking equipment, flagship smartphones such as the Apple iPhone 16, Samsung Galaxy S25, and Google Pixel 9, as well as wearable technology like Meta’s Ray-Ban Smart Glasses and Quest 3/3S headsets.

This year’s event introduced USB port exploitation on mobile handsets, challenging researchers to hack locked devices via a physical connection. Despite this new challenge, traditional wireless protocols like Bluetooth, Wi-Fi, and NFC remained valid attack vectors.

Co-sponsored by Meta, QNAP, and Synology, the hacking contest took place from October 21 to October 23 in Cork, Ireland, attracting top cybersecurity talent from around the world.

The top honors at Pwn2Own Ireland went to Summoning Team, who secured 22 Master of Pwn points and earned $187,500 by successfully compromising devices like the Samsung Galaxy S25, Synology DiskStation DS925+ NAS, Home Assistant Green, Synology ActiveProtect Appliance DP320 NAS drive, Synology CC400W camera, and QNAP TS-453E NAS device.

Team ANHTUD clinched the second spot with $76,750 and 11.5 Master of Pwn points, while Team Synactiv claimed the third position with $90,000 in prizes and 11 Master of Pwn points.

​The first day of Pwn2Own Ireland saw hackers exploit 34 unique zero-day vulnerabilities, earning a total of $522,500 in cash rewards. On the following day, they demonstrated an additional 22 zero-day vulnerabilities, claiming $267,500 in prizes.

The highlight of the final day was Interrupt Labs’ successful hack of the Samsung Galaxy S25 using an improper input validation bug, earning them 5 Master of Pwn points and $50,000. The team also managed to enable location tracking and access the device’s camera during the exploit.

While Team Z3 was set to showcase a WhatsApp Zero-Click remote code execution zero-day vulnerability on the last day with a potential $1 million reward, they decided to withdraw from the competition. Instead, they opted to disclose their findings privately to ZDI analysts before sharing their research with Meta’s engineering team.

The Zero Day Initiative (ZDI) organizes Pwn2Own to identify security vulnerabilities before they can be exploited by malicious actors, facilitating responsible disclosure with affected vendors.

Following the exploitation of zero-days at Pwn2Own, vendors have 90 days to release patches before Trend Micro’s Zero Day Initiative discloses the vulnerabilities publicly.

Looking ahead, the ZDI will host the third Pwn2Own Automotive contest at the Automotive World technology show in Tokyo, Japan, in January 2026, sponsored once again by Tesla.

46% of environments experienced password cracking, nearly doubling from the previous year’s 25%.

Explore the insights from the Picus Blue Report 2025 for a detailed analysis of prevention, detection, and data exfiltration trends.

Get the Blue Report 2025