Hackers Exploit 34 Zero-Days on First Day of Pwn2Own Ireland
The highly anticipated Pwn2Own Ireland 2025 hacking competition kicked off its first day, showcasing the skills of top security researchers as they exploited a whopping 34 unique zero-days to gain access to various devices. The event, organized by the Zero Day Initiative (ZDI), aims to identify security vulnerabilities in targeted devices before threat actors can exploit them, coordinating responsible disclosure with the affected vendors.
The day's highlights saw two teams emerge victorious, earning substantial cash awards for their exploits. Bongeun Koo and Evangelos Daravigkas of Team DDOS took home a staggering $100,000 after chaining eight zero-day flaws to hack the QNAP Qhora-322 Ethernet wireless router via the WAN interface, gaining access to a QNAP TS-453E NAS device. Their successful attempt propelled them to second place on the Master of Pwn leaderboard with 8 points.
Other teams that emerged victorious include Synacktiv Team, Sina Kheirkhah of the Summoning Team, the DEVCORE Team, and Stephen Fewer of Rapid7, who collectively earned $40,000 each after gaining root on various devices. STARLabs, Team PetoWorks, Team ANHTUD, and Ierae researchers also successfully hacked multiple devices, including a Canon imageCLASS MF654Cdw multifunction laser printer, four times.
The Summoning Team, led by Sina Kheirkhah and McCaulay Hudson, showcased impressive skills, using an exploit chain combining two zero-days to gain root on a Synology ActiveProtect Appliance DP320 and win another $50,000. Their total haul of $102,500 propelled them to the top of the Master of Pwn leaderboard with 11.5 points.
The Zero Day Initiative's Pwn2Own Ireland 2025 features eight categories targeting flagship smartphones (Apple iPhone 16, Samsung Galaxy S25, and Google Pixel 9), messaging apps, smart home devices, printers, home networking equipment, network storage systems, surveillance equipment, and wearable technology. This year, the ZDI also expanded the attack vectors for the mobile category to include USB port exploitation for mobile handsets.
The competition will continue on October 24 in Cork, Ireland, with security researchers targeting devices in various categories. The event is sponsored by Meta, QNAP, and Synology, and offers substantial cash rewards to those who can successfully exploit zero-days. Last year's Pwn2Own Ireland event saw security researchers earn $1,078,750 for more than 70 zero-day vulnerabilities.
About the Pwn2Own Initiative
The Zero Day Initiative (ZDI) organizes the Pwn2Own events to identify security vulnerabilities in targeted devices before threat actors can exploit them. The initiative aims to foster collaboration between security researchers and vendors, promoting responsible disclosure of discovered vulnerabilities.
Exploits Highlighted During Pwn2Own Ireland 2025
The ZDI has announced the following exploits during Pwn2Own Ireland 2025:
* QNAP TS-453E NAS device: Exploited via eight zero-day flaws, chaining them to gain access. * Synology DiskStation DS925+: Root gained by Sina Kheirkhah and McCaulay Hudson using an exploit chain combining two zero-days. * Canon imageCLASS MF654Cdw multifunction laser printer: Hacked four times. * QNAP Qhora-322 Ethernet wireless router: Exploited via eight zero-day flaws, chaining them to gain access. * Home Assistant Green: Root gained by Stephen Fewer of Rapid7. * Sonos Era 300 smart speaker: $50,000 earned after exploitation. * Phillips Hue Bridge: Exploited to collect $40,000 in cash.
The ZDI will also be offering a $1 million reward to security researchers who demo a zero-click WhatsApp exploit that allows code execution without user interaction.
Closing Thoughts
Pwn2Own Ireland 2025 marks an exciting milestone in the world of cybersecurity, showcasing the skills and determination of top security researchers. As the competition continues, it remains to be seen which devices will fall prey to these skilled hackers and how much they can earn for their exploits.