Security

Pwn2Own Ireland: Hackers Unleash 34 Zero-Day Exploits on Opening Day

Published

4 months ago

October 21, 2025

Pwn2Own Ireland 2025: A Recap of Day One

Day one of Pwn2Own Ireland 2025 saw an impressive display of skills by security researchers who exploited 34 unique zero-day vulnerabilities, earning a total of $522,500 in cash awards.

The standout moment of the day was when Bongeun Koo and Evangelos Daravigkas of Team DDOS successfully chained eight zero-day flaws to hack into the QNAP Qhora-322 Ethernet wireless router via the WAN interface and gain access to a QNAP TS-453E NAS device. This feat earned them $100,000 and catapulted them to second place on the Master of Pwn leaderboard with 8 points.

Other notable achievements included Synacktiv Team, Sina Kheirkhah of the Summoning Team, the DEVCORE Team, and Stephen Fewer of Rapid7 earning $40,000 each for gaining root access on various devices such as the Synology BeeStation Plus, Synology DiskStation DS925+, QNAP TS-453E, and Home Assistant Green.

Additionally, STARLabs, Team PetoWorks, Team ANHTUD, and Ierae researchers managed to hack the Canon imageCLASS MF654Cdw multifunction laser printer multiple times. STARLabs also successfully hacked the Sonos Era 300 smart speaker, earning $50,000, while Team ANHTUD exploited the Phillips Hue Bridge for a $40,000 reward.

Sina Kheirkhah and McCaulay Hudson of the Summoning Team utilized an exploit chain combining two zero-day vulnerabilities to gain root access on a Synology ActiveProtect Appliance DP320, securing another $50,000.

The Summoning Team emerged as the top earner of the day, accumulating a total of $102,500 in cash prizes and leading the Master of Pwn leaderboard with 11.5 points.

The Zero Day Initiative (ZDI) hosts Pwn2Own events to uncover security vulnerabilities in targeted devices before malicious actors can exploit them, facilitating responsible disclosure with affected vendors. Vendors are given a 90-day window to release security updates after zero-day flaws are exploited during Pwn2Own events before public disclosure by Trend Micro’s Zero Day Initiative.

Team DDOS SOSHO Smashup

Categories and Targets at Pwn2Own Ireland 2025

The Pwn2Own Ireland 2025 hacking competition features eight categories targeting flagship smartphones (Apple iPhone 16, Samsung Galaxy S25, and Google Pixel 9), messaging apps, smart home devices, printers, home networking equipment, network storage systems, surveillance equipment, and wearable technology (including Meta’s Ray-Ban Smart Glasses and Quest 3/3S headsets).

This year, ZDI expanded the attack vectors for the mobile category to include USB port exploitation for mobile handsets, challenging competitors to hack locked phones through physical connections. Traditional wireless protocols such as Bluetooth, Wi-Fi, and near-field communication (NFC) remain valid attack vectors.

Day two of the competition will see security researchers targeting devices in the network-attached storage, printers, smart home, and surveillance systems categories, as well as the Samsung Galaxy S25 in the mobile phones category.

As part of the event, ZDI announced a $1 million reward for security researchers who demonstrate a zero-click WhatsApp exploit allowing code execution without user interaction.

Meta, in collaboration with QNAP and Synology, is co-sponsoring the Pwn2Own Ireland 2025 hacking contest, scheduled from October 21 to October 24 in Cork, Ireland.

During last year’s Pwn2Own Ireland event, security researchers uncovered over 70 zero-day vulnerabilities, earning a total of $1,078,750. Viettel Cyber Security received $205,000 for identifying bugs in QNAP, Sonos, and Lexmark devices.

In January 2026, ZDI will return to the Automotive World technology show in Tokyo for its third Pwn2Own Automotive contest, with Tesla making a comeback as a sponsor.