34 Zero-day Vulnerabilities Exploited on First Day of Pwn2Own Ireland 2025
Summary
Hide ▲
Show ▼
On the second day of Pwn2Own Ireland 2025, security researchers exploited 56 unique zero-day vulnerabilities and collected $792,750 in cash awards. The event, held in Cork, Ireland, targets vulnerabilities in various devices, including smartphones, messaging apps, smart home devices, printers, and more. The Zero Day Initiative (ZDI) operates the event to identify security flaws before threat actors can exploit them. The highlight of the day was Ken Gannon of Mobile Hacking Lab and Dimitrios Valsamaras of Summoning Team hacking the Samsung Galaxy S25 with a chain of five security flaws, earning $50,000 and 5 Master of Pwn points. Summoning Team leads the Master of Pwn leaderboard with 18 points after earning $167,500 during the first two days of the event. The event features eight categories, including new attack vectors for mobile devices, and offers a $1 million reward for a zero-click WhatsApp exploit. On the first day, researchers demoed 34 unique zero-days and collected $522,500 in cash awards. Team DDOS chained eight zero-day flaws to hack a QNAP Qhora-322 Ethernet wireless router and gain access to a QNAP TS-453E NAS device, earning $100,000. The Summoning Team won a total of $102,500 and leads the Master of Pwn leaderboard with 11.5 points.
Timeline
-
22.10.2025 21:52 1 articles · 21h ago
56 Zero-day Vulnerabilities Exploited on Second Day of Pwn2Own Ireland 2025
On October 22, 2025, the second day of Pwn2Own Ireland 2025 saw security researchers exploit 56 unique zero-day vulnerabilities across various devices. The event, held in Cork, Ireland, features eight categories and offers significant rewards for successful exploits. The Zero Day Initiative (ZDI) operates the event to identify security flaws before threat actors can exploit them. The highlight of the day was Ken Gannon of Mobile Hacking Lab and Dimitrios Valsamaras of Summoning Team hacking the Samsung Galaxy S25 with a chain of five security flaws, earning $50,000 and 5 Master of Pwn points. Summoning Team remains at the top of the Master of Pwn leaderboard with 18 points. The event includes new attack vectors for mobile devices and offers a $1 million reward for a zero-click WhatsApp exploit. On the third and last day of Pwn2Own, they will again target the Samsung Galaxy S25, as well as multiple NAS devices and printers. Eugene of Team Z3 will attempt to demonstrate a WhatsApp Zero-Click remote code execution bug eligible for a $1 million reward. Meta is co-sponsoring Pwn2Own Ireland 2025 alongside Synology and QNAP, with the hacking contest taking place from October 21 to October 24 in Cork. Pwn2Own Ireland 2025 features eight categories targeting flagship smartphones (Samsung Galaxy S25, Apple iPhone 16, and Google Pixel 9), printers, network storage systems, home networking equipment, messaging apps, smart home devices, surveillance equipment, and wearable technology (including Meta's Quest 3/3S headsets and Ray-Ban Smart Glasses). This year's contest expands the attack vectors to include USB port exploitation on mobile handsets, requiring researchers to hack locked phones via a physical connection.
Show sources
- Pwn2Own Day 2: Hackers exploit 56 zero-days for $790,000 — www.bleepingcomputer.com — 22.10.2025 21:52
-
21.10.2025 20:06 2 articles · 1d ago
34 Zero-day Vulnerabilities Exploited on First Day of Pwn2Own Ireland 2025
On October 21, 2025, the first day of Pwn2Own Ireland 2025 saw security researchers exploit 34 unique zero-day vulnerabilities across various devices. The event, held in Cork, Ireland, features eight categories and offers significant rewards for successful exploits. The Zero Day Initiative (ZDI) operates the event to identify security flaws before threat actors can exploit them. The highlight of the day was Team DDOS chaining eight zero-day flaws to hack a QNAP Qhora-322 Ethernet wireless router and gain access to a QNAP TS-453E NAS device, earning $100,000. The Summoning Team won a total of $102,500 and leads the Master of Pwn leaderboard with 11.5 points. The event includes new attack vectors for mobile devices and offers a $1 million reward for a zero-click WhatsApp exploit. On the second day, researchers exploited 56 unique zero-day vulnerabilities and collected $792,750 in cash awards. Ken Gannon and Dimitrios Valsamaras hacked the Samsung Galaxy S25, earning $50,000 and 5 Master of Pwn points. Summoning Team remains at the top of the leaderboard with 18 points.
Show sources
- Hackers exploit 34 zero-days on first day of Pwn2Own Ireland — www.bleepingcomputer.com — 21.10.2025 20:06
- Pwn2Own Day 2: Hackers exploit 56 zero-days for $790,000 — www.bleepingcomputer.com — 22.10.2025 21:52
Information Snippets
-
The first day of Pwn2Own Ireland 2025 saw 34 unique zero-day vulnerabilities exploited.
First reported: 21.10.2025 20:061 source, 2 articlesShow sources
- Hackers exploit 34 zero-days on first day of Pwn2Own Ireland — www.bleepingcomputer.com — 21.10.2025 20:06
- Pwn2Own Day 2: Hackers exploit 56 zero-days for $790,000 — www.bleepingcomputer.com — 22.10.2025 21:52
-
Security researchers collected $522,500 in cash awards for exploiting zero-day vulnerabilities.
First reported: 21.10.2025 20:061 source, 2 articlesShow sources
- Hackers exploit 34 zero-days on first day of Pwn2Own Ireland — www.bleepingcomputer.com — 21.10.2025 20:06
- Pwn2Own Day 2: Hackers exploit 56 zero-days for $790,000 — www.bleepingcomputer.com — 22.10.2025 21:52
-
Team DDOS exploited eight zero-day flaws to hack a QNAP Qhora-322 Ethernet wireless router and gain access to a QNAP TS-453E NAS device.
First reported: 21.10.2025 20:061 source, 1 articleShow sources
- Hackers exploit 34 zero-days on first day of Pwn2Own Ireland — www.bleepingcomputer.com — 21.10.2025 20:06
-
The Summoning Team won a total of $102,500 and leads the Master of Pwn leaderboard with 11.5 points.
First reported: 21.10.2025 20:061 source, 1 articleShow sources
- Hackers exploit 34 zero-days on first day of Pwn2Own Ireland — www.bleepingcomputer.com — 21.10.2025 20:06
-
The event features eight categories, including smartphones, messaging apps, smart home devices, printers, and more.
First reported: 21.10.2025 20:061 source, 2 articlesShow sources
- Hackers exploit 34 zero-days on first day of Pwn2Own Ireland — www.bleepingcomputer.com — 21.10.2025 20:06
- Pwn2Own Day 2: Hackers exploit 56 zero-days for $790,000 — www.bleepingcomputer.com — 22.10.2025 21:52
-
New attack vectors for mobile devices include USB port exploitation, Bluetooth, Wi-Fi, and NFC.
First reported: 21.10.2025 20:061 source, 2 articlesShow sources
- Hackers exploit 34 zero-days on first day of Pwn2Own Ireland — www.bleepingcomputer.com — 21.10.2025 20:06
- Pwn2Own Day 2: Hackers exploit 56 zero-days for $790,000 — www.bleepingcomputer.com — 22.10.2025 21:52
-
A $1 million reward is offered for a zero-click WhatsApp exploit that allows code execution without user interaction.
First reported: 21.10.2025 20:061 source, 2 articlesShow sources
- Hackers exploit 34 zero-days on first day of Pwn2Own Ireland — www.bleepingcomputer.com — 21.10.2025 20:06
- Pwn2Own Day 2: Hackers exploit 56 zero-days for $790,000 — www.bleepingcomputer.com — 22.10.2025 21:52
-
Security researchers collected $792,750 in cash after exploiting 56 unique zero-day vulnerabilities during the second day of the Pwn2Own Ireland 2025 hacking competition.
First reported: 22.10.2025 21:521 source, 1 articleShow sources
- Pwn2Own Day 2: Hackers exploit 56 zero-days for $790,000 — www.bleepingcomputer.com — 22.10.2025 21:52
-
Ken Gannon of Mobile Hacking Lab and Dimitrios Valsamaras of Summoning Team hacked the Samsung Galaxy S25 with a chain of five security flaws, earning $50,000 and 5 Master of Pwn points.
First reported: 22.10.2025 21:521 source, 1 articleShow sources
- Pwn2Own Day 2: Hackers exploit 56 zero-days for $790,000 — www.bleepingcomputer.com — 22.10.2025 21:52
-
PHP Hooligans hacked the QNAP TS-453E NAS device in one second, using a vulnerability already exploited in the contest.
First reported: 22.10.2025 21:521 source, 1 articleShow sources
- Pwn2Own Day 2: Hackers exploit 56 zero-days for $790,000 — www.bleepingcomputer.com — 22.10.2025 21:52
-
Chumy Tsai of CyCraft Technology, Le Trong Phuc and Cao Ngoc Quy of Verichains Cyber Force, and Mehdi & Matthieu of Synacktiv Team were awarded $20,000 for breaking into the QNAP TS-453E, Synology DS925+, and the Phillips Hue Bridge.
First reported: 22.10.2025 21:521 source, 1 articleShow sources
- Pwn2Own Day 2: Hackers exploit 56 zero-days for $790,000 — www.bleepingcomputer.com — 22.10.2025 21:52
-
The contestants exploited zero-day bugs in the Canon imageCLASS MF654Cdw printer, Home Automation Green, Synology CC400W camera, Synology DS925+ NAS, Amazon Smart plug, and Lexmark CX532adwe printer.
First reported: 22.10.2025 21:521 source, 1 articleShow sources
- Pwn2Own Day 2: Hackers exploit 56 zero-days for $790,000 — www.bleepingcomputer.com — 22.10.2025 21:52
-
Summoning Team leads the Master of Pwn leaderboard with 18 points after earning $167,500 during the first two days of the event.
First reported: 22.10.2025 21:521 source, 1 articleShow sources
- Pwn2Own Day 2: Hackers exploit 56 zero-days for $790,000 — www.bleepingcomputer.com — 22.10.2025 21:52
-
On the third and last day of Pwn2Own, they will again target the Samsung Galaxy S25, as well as multiple NAS devices and printers. Eugene of Team Z3 will attempt to demonstrate a WhatsApp Zero-Click remote code execution bug eligible for a $1 million reward.
First reported: 22.10.2025 21:521 source, 1 articleShow sources
- Pwn2Own Day 2: Hackers exploit 56 zero-days for $790,000 — www.bleepingcomputer.com — 22.10.2025 21:52
-
Meta is co-sponsoring Pwn2Own Ireland 2025 alongside Synology and QNAP, with the hacking contest taking place from October 21 to October 24 in Cork.
First reported: 22.10.2025 21:521 source, 1 articleShow sources
- Pwn2Own Day 2: Hackers exploit 56 zero-days for $790,000 — www.bleepingcomputer.com — 22.10.2025 21:52
-
Pwn2Own Ireland 2025 features eight categories targeting flagship smartphones (Samsung Galaxy S25, Apple iPhone 16, and Google Pixel 9), printers, network storage systems, home networking equipment, messaging apps, smart home devices, surveillance equipment, and wearable technology (including Meta's Quest 3/3S headsets and Ray-Ban Smart Glasses).
First reported: 22.10.2025 21:521 source, 1 articleShow sources
- Pwn2Own Day 2: Hackers exploit 56 zero-days for $790,000 — www.bleepingcomputer.com — 22.10.2025 21:52
-
This year's contest expands the attack vectors to include USB port exploitation on mobile handsets, requiring researchers to hack locked phones via a physical connection.
First reported: 22.10.2025 21:521 source, 1 articleShow sources
- Pwn2Own Day 2: Hackers exploit 56 zero-days for $790,000 — www.bleepingcomputer.com — 22.10.2025 21:52
-
During the Pwn2Own Ireland 2024 event, hackers earned $1,078,750 for over 70 zero-days, with Viettel Cyber Security taking home $205,000 in cash after exploiting QNAP, Sonos, and Lexmark flaws.
First reported: 22.10.2025 21:521 source, 1 articleShow sources
- Pwn2Own Day 2: Hackers exploit 56 zero-days for $790,000 — www.bleepingcomputer.com — 22.10.2025 21:52
Similar Happenings
Apple increases bug bounty payouts for zero-click RCE vulnerabilities
Apple has expanded and redesigned its bug bounty program, doubling maximum payouts and adding new research categories. The highest reward is now $2 million for zero-click remote code execution (RCE) vulnerabilities, with a bonus system that can exceed $5 million. The program now includes higher payouts for various types of vulnerabilities, including one-click remote attacks, wireless proximity attacks, and unauthorized iCloud access. Apple also plans to distribute secured iPhone 17 devices to civil society organizations and researchers in 2026. The changes aim to incentivize the discovery and reporting of sophisticated security issues, particularly those exploited by mercenary spyware. The program has awarded $35 million to 800 security researchers since its inception in 2020. The expansion includes a $100,000 reward for a complete Gatekeeper bypass and a $1 million reward for broad unauthorized iCloud access. Apple's latest bug bounty announcement is a response to the growth of commercial spyware activity, with the UK’s National Cyber Security Centre (NCSC) estimating that the commercial cyber intrusion sector doubles every 10 years.