From October twenty first to twenty fourth, 2025, town of Cork, Eire, hosted the annual dwell hacking contest Pwn2Own Eire 2025, organised by the Zero Day Initiative (ZDI). Over three days, cybersecurity researchers from world wide tried to breach units, companies and methods, together with dwelling routers, NAS home equipment, printers and messaging apps like WhatsApp. In return, researchers obtained enormous money prizes.
Beneath is a day-by-day breakdown of what occurred, who succeeded, and a number of the key takeaways from this 12 months’s contest.
Day 1: October 21
The first day opened with robust momentum. ZDI introduced that 17 exploit makes an attempt had been scheduled, and remarkably, there have been no failures on the day. A complete of $522,500 USD was awarded for 34 distinctive zero-day vulnerabilities.
Among the many highlights:
- Group Neodyme exploited an HP DeskJet 2855e printer utilizing a stack-based buffer overflow, incomes USD 20,000 and a pair of “Grasp of Pwn” factors.
- STARLabs focused a Canon imageCLASS MF654Cdw printer by way of a heap overflow, additionally incomes USD 20,000 and a pair of factors.
- Synacktiv achieved root code execution on a Synology BeeStation Plus NAS, claiming USD 40,000 and 4 factors.
- Group DDOS created an exploit chain utilizing eight totally different bugs, together with a number of injection flaws, to compromise a QNAP QHora-322 router after which pivot to a QNAP TS-453E NAS system within the SOHO “Smashup” class. They earned USD 100,000 and 10 factors for that entry.
Day 2: October 22
By the second day, ZDI reported that individuals had already earned greater than half one million {dollars} in prizes as researchers moved from printers and NAS methods to good dwelling gear, exhibiting that just about any linked system could possibly be a goal.
The much-talked-about one-million-dollar WhatsApp problem remained untouched, however the sequence of profitable hacks confirmed how on a regular basis good units could be hacked if exploited by third events with malicious intent.
A few of the key wins included:
- PHP Hooligans exploited the Canon imageCLASS MF654Cdw printer by way of an out-of-bounds write, gaining USD 10,000 and a pair of factors.
- Viettel Cyber Safety used a command injection mixed with two bug collisions to take advantage of a Residence Automation Inexperienced system, incomes USD 12,500 and a pair of.75 factors.
- Qrious Safe paired two bugs to compromise a Philips Hue Bridge; although just one bug was distinctive, they nonetheless collected USD 16,000 and three.75 factors.
- CyCraft Know-how used a single code injection bug to take advantage of the QNAP TS-453E NAS, incomes USD 20,000 and 4 factors.
Day 3: October 23
By Day 3, the overall payouts reached USD 1,024,750 for 73 distinctive zero-day bugs, in accordance with the ultimate weblog submit. Some standout moments included:
- A workforce from Interrupt Labs used an improper enter validation bug to take management of a Samsung Galaxy S25 smartphone; the reward was USD 50,000 and 5 factors.
- Synacktiv used two bugs to take advantage of a Ubiquiti AI Professional surveillance system and earned USD 30,000 and three factors.
- Summoning Group (led by Sina Kheirkhah) efficiently used a hard-coded credential plus injection to take advantage of a QNAP TS-453E, incomes USD 20,000 and 4 factors.
- A couple of entries had been withdrawn or deemed collisions (i.e., bug chains that reused beforehand registered flaws), however they nonetheless earned diminished prizes. For instance, one exploit on a Philips Hue Bridge earned USD 17,500 regardless of a collision. (Zero Day Initiative)
On the shut of Day 3, the organisers introduced that the competition had concluded and the ultimate “Grasp of Pwn” title went to the Summoning Group.
Key take-aways
- The money prize for a profitable zero-click exploit of WhatsApp reached USD 1,000,000, marking the most important single goal within the contest’s historical past (although no winner for that class was publicly introduced).
- The range of targets from printers and NAS units to good dwelling hubs and smartphones highlights what number of kinds of linked gear are nonetheless uncovered to important danger.
- Many profitable assaults concerned “collision” bugs (i.e., vulnerabilities related or equivalent to ones already used earlier within the contest). Whereas nonetheless rewarded, these pay much less and illustrate what number of weaknesses are already identified (to researchers a minimum of).
- The competition strengthened the worth of organised, public vulnerability-disclosure efforts: distributors taking part get early warning to allow them to patch methods earlier than real-world malicious actors exploit them.
Remaining ideas
Pwn2Own Eire 2025 confirmed as soon as once more that even atypical units like routers, printers, and good dwelling methods could be breached with the correct technical perception. Occasions like this spotlight why coordinated analysis and disclosure are important for retaining know-how safe.
The massive prize pool confirmed how critically each researchers and the business take these dangers. And with Summoning Group topped as Grasp of Pwn, the occasion wrapped up with loads of consideration and some classes for everybody watching.
Notice: The competition was formally scheduled for October 21–24 in Cork, Eire, although all dwell hacking rounds wrapped up on October 23. The ultimate day was reserved for administrative wrap-up and shutting actions.
