From October twenty first to twenty fourth, 2025, town of Cork, Eire, hosted the annual dwell hacking contest Pwn2Own Eire 2025, organised by the Zero Day Initiative (ZDI). Over three days, cybersecurity researchers from world wide tried to breach units, providers and techniques, together with dwelling routers, NAS home equipment, printers and messaging apps like WhatsApp. In return, researchers bought enormous money prizes.
Under is a day-by-day breakdown of what occurred, who succeeded, and a few of the key takeaways from this 12 months’s contest.
Day 1: October 21
The first day opened with sturdy momentum. ZDI introduced that 17 exploit makes an attempt had been scheduled, and remarkably, there have been no failures on the day. A complete of $522,500 USD was awarded for 34 distinctive zero-day vulnerabilities.
Among the many highlights:
- Group Neodyme exploited an HP DeskJet 2855e printer utilizing a stack-based buffer overflow, incomes USD 20,000 and a couple of “Grasp of Pwn” factors.
- STARLabs focused a Canon imageCLASS MF654Cdw printer by way of a heap overflow, additionally incomes USD 20,000 and a couple of factors.
- Synacktiv achieved root code execution on a Synology BeeStation Plus NAS, claiming USD 40,000 and 4 factors.
- Group DDOS created an exploit chain utilizing eight completely different bugs, together with a number of injection flaws, to compromise a QNAP QHora-322 router after which pivot to a QNAP TS-453E NAS gadget within the SOHO “Smashup” class. They earned USD 100,000 and 10 factors for that entry.
Day 2: October 22
By the second day, ZDI reported that members had already earned greater than half 1,000,000 {dollars} in prizes as researchers moved from printers and NAS techniques to sensible dwelling gear, exhibiting that just about any linked gadget might be a goal.
The much-talked-about one-million-dollar WhatsApp problem remained untouched, however the collection of profitable hacks confirmed how on a regular basis sensible units may be hacked if exploited by third events with malicious intent.
Among the key wins included:
- PHP Hooligans exploited the Canon imageCLASS MF654Cdw printer by way of an out-of-bounds write, gaining USD 10,000 and a couple of factors.
- Viettel Cyber Safety used a command injection mixed with two bug collisions to use a Dwelling Automation Inexperienced gadget, incomes USD 12,500 and a couple of.75 factors.
- Qrious Safe paired two bugs to compromise a Philips Hue Bridge; although just one bug was distinctive, they nonetheless collected USD 16,000 and three.75 factors.
- CyCraft Expertise used a single code injection bug to use the QNAP TS-453E NAS, incomes USD 20,000 and 4 factors.
Day 3: October 23
By Day 3, the whole payouts reached USD 1,024,750 for 73 distinctive zero-day bugs, in line with the ultimate weblog submit. Some standout moments included:
- A group from Interrupt Labs used an improper enter validation bug to take management of a Samsung Galaxy S25 smartphone; the reward was USD 50,000 and 5 factors.
- Synacktiv used two bugs to use a Ubiquiti AI Professional surveillance system and earned USD 30,000 and three factors.
- Summoning Group (led by Sina Kheirkhah) efficiently used a hard-coded credential plus injection to use a QNAP TS-453E, incomes USD 20,000 and 4 factors.
- Just a few entries had been withdrawn or deemed collisions (i.e., bug chains that reused beforehand registered flaws), however they nonetheless earned lowered prizes. For instance, one exploit on a Philips Hue Bridge earned USD 17,500 regardless of a collision. (Zero Day Initiative)
On the shut of Day 3, the organisers introduced that the competition had concluded and the ultimate “Grasp of Pwn” title went to the Summoning Group.
Key take-aways
- The money prize for a profitable zero-click exploit of WhatsApp reached USD 1,000,000, marking the most important single goal within the contest’s historical past (although no winner for that class was publicly introduced).
- The variety of targets from printers and NAS units to sensible dwelling hubs and smartphones highlights what number of varieties of linked tools are nonetheless uncovered to important danger.
- Many profitable assaults concerned “collision” bugs (i.e., vulnerabilities comparable or equivalent to ones already used earlier within the contest). Whereas nonetheless rewarded, these pay much less and illustrate what number of weaknesses are already identified (to researchers not less than).
- The competition strengthened the worth of organised, public vulnerability-disclosure efforts: distributors collaborating get early warning to allow them to patch techniques earlier than real-world malicious actors exploit them.
Closing ideas
Pwn2Own Eire 2025 confirmed as soon as once more that even unusual units like routers, printers, and sensible dwelling techniques may be breached with the fitting technical perception. Occasions like this spotlight why coordinated analysis and disclosure are important for preserving know-how safe.
The big prize pool confirmed how significantly each researchers and the trade take these dangers. And with Summoning Group topped as Grasp of Pwn, the occasion wrapped up with loads of consideration and some classes for everybody watching.
Observe: The competition was formally scheduled for October 21–24 in Cork, Eire, although all dwell hacking rounds wrapped up on October 23. The ultimate day was reserved for administrative wrap-up and shutting actions.
