CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

34 Zero-day Vulnerabilities Exploited on First Day of Pwn2Own Ireland 2025

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

On the second day of Pwn2Own Ireland 2025, security researchers exploited 56 unique zero-day vulnerabilities and collected $792,750 in cash awards. The event, held in Cork, Ireland, targets vulnerabilities in various devices, including smartphones, messaging apps, smart home devices, printers, and more. The Zero Day Initiative (ZDI) operates the event to identify security flaws before threat actors can exploit them. The highlight of the day was Ken Gannon of Mobile Hacking Lab and Dimitrios Valsamaras of Summoning Team hacking the Samsung Galaxy S25 with a chain of five security flaws, earning $50,000 and 5 Master of Pwn points. Summoning Team leads the Master of Pwn leaderboard with 18 points after earning $167,500 during the first two days of the event. The event features eight categories, including new attack vectors for mobile devices, and offers a $1 million reward for a zero-click WhatsApp exploit. On the first day, researchers demoed 34 unique zero-days and collected $522,500 in cash awards. Team DDOS chained eight zero-day flaws to hack a QNAP Qhora-322 Ethernet wireless router and gain access to a QNAP TS-453E NAS device, earning $100,000. The Summoning Team won a total of $102,500 and leads the Master of Pwn leaderboard with 11.5 points.

Timeline

  1. 22.10.2025 21:52 1 articles · 21h ago

    56 Zero-day Vulnerabilities Exploited on Second Day of Pwn2Own Ireland 2025

    On October 22, 2025, the second day of Pwn2Own Ireland 2025 saw security researchers exploit 56 unique zero-day vulnerabilities across various devices. The event, held in Cork, Ireland, features eight categories and offers significant rewards for successful exploits. The Zero Day Initiative (ZDI) operates the event to identify security flaws before threat actors can exploit them. The highlight of the day was Ken Gannon of Mobile Hacking Lab and Dimitrios Valsamaras of Summoning Team hacking the Samsung Galaxy S25 with a chain of five security flaws, earning $50,000 and 5 Master of Pwn points. Summoning Team remains at the top of the Master of Pwn leaderboard with 18 points. The event includes new attack vectors for mobile devices and offers a $1 million reward for a zero-click WhatsApp exploit. On the third and last day of Pwn2Own, they will again target the Samsung Galaxy S25, as well as multiple NAS devices and printers. Eugene of Team Z3 will attempt to demonstrate a WhatsApp Zero-Click remote code execution bug eligible for a $1 million reward. Meta is co-sponsoring Pwn2Own Ireland 2025 alongside Synology and QNAP, with the hacking contest taking place from October 21 to October 24 in Cork. Pwn2Own Ireland 2025 features eight categories targeting flagship smartphones (Samsung Galaxy S25, Apple iPhone 16, and Google Pixel 9), printers, network storage systems, home networking equipment, messaging apps, smart home devices, surveillance equipment, and wearable technology (including Meta's Quest 3/3S headsets and Ray-Ban Smart Glasses). This year's contest expands the attack vectors to include USB port exploitation on mobile handsets, requiring researchers to hack locked phones via a physical connection.

    Show sources
  2. 21.10.2025 20:06 2 articles · 1d ago

    34 Zero-day Vulnerabilities Exploited on First Day of Pwn2Own Ireland 2025

    On October 21, 2025, the first day of Pwn2Own Ireland 2025 saw security researchers exploit 34 unique zero-day vulnerabilities across various devices. The event, held in Cork, Ireland, features eight categories and offers significant rewards for successful exploits. The Zero Day Initiative (ZDI) operates the event to identify security flaws before threat actors can exploit them. The highlight of the day was Team DDOS chaining eight zero-day flaws to hack a QNAP Qhora-322 Ethernet wireless router and gain access to a QNAP TS-453E NAS device, earning $100,000. The Summoning Team won a total of $102,500 and leads the Master of Pwn leaderboard with 11.5 points. The event includes new attack vectors for mobile devices and offers a $1 million reward for a zero-click WhatsApp exploit. On the second day, researchers exploited 56 unique zero-day vulnerabilities and collected $792,750 in cash awards. Ken Gannon and Dimitrios Valsamaras hacked the Samsung Galaxy S25, earning $50,000 and 5 Master of Pwn points. Summoning Team remains at the top of the leaderboard with 18 points.

    Show sources

Information Snippets

  • The first day of Pwn2Own Ireland 2025 saw 34 unique zero-day vulnerabilities exploited.

    First reported: 21.10.2025 20:06
    1 source, 2 articles
    Show sources
  • Security researchers collected $522,500 in cash awards for exploiting zero-day vulnerabilities.

    First reported: 21.10.2025 20:06
    1 source, 2 articles
    Show sources
  • Team DDOS exploited eight zero-day flaws to hack a QNAP Qhora-322 Ethernet wireless router and gain access to a QNAP TS-453E NAS device.

    First reported: 21.10.2025 20:06
    1 source, 1 article
    Show sources
  • The Summoning Team won a total of $102,500 and leads the Master of Pwn leaderboard with 11.5 points.

    First reported: 21.10.2025 20:06
    1 source, 1 article
    Show sources
  • The event features eight categories, including smartphones, messaging apps, smart home devices, printers, and more.

    First reported: 21.10.2025 20:06
    1 source, 2 articles
    Show sources
  • New attack vectors for mobile devices include USB port exploitation, Bluetooth, Wi-Fi, and NFC.

    First reported: 21.10.2025 20:06
    1 source, 2 articles
    Show sources
  • A $1 million reward is offered for a zero-click WhatsApp exploit that allows code execution without user interaction.

    First reported: 21.10.2025 20:06
    1 source, 2 articles
    Show sources
  • Security researchers collected $792,750 in cash after exploiting 56 unique zero-day vulnerabilities during the second day of the Pwn2Own Ireland 2025 hacking competition.

    First reported: 22.10.2025 21:52
    1 source, 1 article
    Show sources
  • Ken Gannon of Mobile Hacking Lab and Dimitrios Valsamaras of Summoning Team hacked the Samsung Galaxy S25 with a chain of five security flaws, earning $50,000 and 5 Master of Pwn points.

    First reported: 22.10.2025 21:52
    1 source, 1 article
    Show sources
  • PHP Hooligans hacked the QNAP TS-453E NAS device in one second, using a vulnerability already exploited in the contest.

    First reported: 22.10.2025 21:52
    1 source, 1 article
    Show sources
  • Chumy Tsai of CyCraft Technology, Le Trong Phuc and Cao Ngoc Quy of Verichains Cyber Force, and Mehdi & Matthieu of Synacktiv Team were awarded $20,000 for breaking into the QNAP TS-453E, Synology DS925+, and the Phillips Hue Bridge.

    First reported: 22.10.2025 21:52
    1 source, 1 article
    Show sources
  • The contestants exploited zero-day bugs in the Canon imageCLASS MF654Cdw printer, Home Automation Green, Synology CC400W camera, Synology DS925+ NAS, Amazon Smart plug, and Lexmark CX532adwe printer.

    First reported: 22.10.2025 21:52
    1 source, 1 article
    Show sources
  • Summoning Team leads the Master of Pwn leaderboard with 18 points after earning $167,500 during the first two days of the event.

    First reported: 22.10.2025 21:52
    1 source, 1 article
    Show sources
  • On the third and last day of Pwn2Own, they will again target the Samsung Galaxy S25, as well as multiple NAS devices and printers. Eugene of Team Z3 will attempt to demonstrate a WhatsApp Zero-Click remote code execution bug eligible for a $1 million reward.

    First reported: 22.10.2025 21:52
    1 source, 1 article
    Show sources
  • Meta is co-sponsoring Pwn2Own Ireland 2025 alongside Synology and QNAP, with the hacking contest taking place from October 21 to October 24 in Cork.

    First reported: 22.10.2025 21:52
    1 source, 1 article
    Show sources
  • Pwn2Own Ireland 2025 features eight categories targeting flagship smartphones (Samsung Galaxy S25, Apple iPhone 16, and Google Pixel 9), printers, network storage systems, home networking equipment, messaging apps, smart home devices, surveillance equipment, and wearable technology (including Meta's Quest 3/3S headsets and Ray-Ban Smart Glasses).

    First reported: 22.10.2025 21:52
    1 source, 1 article
    Show sources
  • This year's contest expands the attack vectors to include USB port exploitation on mobile handsets, requiring researchers to hack locked phones via a physical connection.

    First reported: 22.10.2025 21:52
    1 source, 1 article
    Show sources
  • During the Pwn2Own Ireland 2024 event, hackers earned $1,078,750 for over 70 zero-days, with Viettel Cyber Security taking home $205,000 in cash after exploiting QNAP, Sonos, and Lexmark flaws.

    First reported: 22.10.2025 21:52
    1 source, 1 article
    Show sources

Similar Happenings

Apple increases bug bounty payouts for zero-click RCE vulnerabilities

Apple has expanded and redesigned its bug bounty program, doubling maximum payouts and adding new research categories. The highest reward is now $2 million for zero-click remote code execution (RCE) vulnerabilities, with a bonus system that can exceed $5 million. The program now includes higher payouts for various types of vulnerabilities, including one-click remote attacks, wireless proximity attacks, and unauthorized iCloud access. Apple also plans to distribute secured iPhone 17 devices to civil society organizations and researchers in 2026. The changes aim to incentivize the discovery and reporting of sophisticated security issues, particularly those exploited by mercenary spyware. The program has awarded $35 million to 800 security researchers since its inception in 2020. The expansion includes a $100,000 reward for a complete Gatekeeper bypass and a $1 million reward for broad unauthorized iCloud access. Apple's latest bug bounty announcement is a response to the growth of commercial spyware activity, with the UK’s National Cyber Security Centre (NCSC) estimating that the commercial cyber intrusion sector doubles every 10 years.