Security researchers collected $792,750 in cash after exploiting 56 unique zero-day vulnerabilities during the second day of the Pwn2Own Ireland 2025 hacking competition.
Today’s highlight was Ken Gannon of Mobile Hacking Lab and Dimitrios Valsamaras of Summoning Team hacking the Samsung Galaxy S25 with a chain of five security flaws, earning $50,000 and 5 Master of Pwn points.
Also, while PHP Hooligans needed only a single second to hack the QNAP TS-453E NAS device, the vulnerability they exploited had already been used in the contest.
Chumy Tsai of CyCraft Technology, Le Trong Phuc and Cao Ngoc Quy of Verichains Cyber Force, and Mehdi & Matthieu of Synacktiv Team were also awarded $20,000 for breaking into the QNAP TS-453E, Synology DS925+, and the Phillips Hue Bridge.
The contestants also exploited zero-day bugs in the Canon imageCLASS MF654Cdw printer, Home Automation Green, Synology CC400W camera, Synology DS925+ NAS, Amazon Smart plug, and Lexmark CX532adwe printer.
Summoning Team is still at the top of the Master of Pwn leaderboard with 18 points after earning $167,500 during the first two days of the event.
On the first day of Pwn2Own Ireland, researchers demoed 34 unique zero-days and collected $522,500 in cash awards. After the competition ends, vendors have 90 days to release patches before ZDI publicly discloses the vulnerabilities.
On the third and last day of Pwn2Own, they will again target the Samsung Galaxy S25, as well as multiple NAS devices and printers. Eugene of Team Z3 will also attempt to demonstrate a WhatsApp Zero-Click remote code execution bug eligible for a $1 million reward.
Meta is co-sponsoring Pwn2Own Ireland 2025 alongside Synology and QNAP, with the hacking contest taking place from October 21 to October 24 in Cork.
Pwn2Own Ireland 2025 features eight categories targeting flagship smartphones (Samsung Galaxy S25, Apple iPhone 16, and Google Pixel 9), printers, network storage systems, home networking equipment, messaging apps, smart home devices, surveillance equipment, and wearable technology (including Meta’s Quest 3/3S headsets and Ray-Ban Smart Glasses).
This year’s contest expands the attack vectors to include USB port exploitation on mobile handsets, requiring researchers to hack locked phones via a physical connection. However, traditional wireless protocols such as Wi-Fi, Bluetooth, and near-field communication (NFC) are still valid attack vectors.
During the Pwn2Own Ireland 2024 event, hackers earned $1,078,750 for over 70 zero-days, with Viettel Cyber Security taking home $205,000 in cash after exploiting QNAP, Sonos, and Lexmark flaws.
In January 2026, the ZDI will return to the Automotive World technology show in Tokyo for the third Pwn2Own Automotive contest, again sponsored by Tesla
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
Source link
