Redazione RHC : 24 October 2025 10:26
On the second day of the Pwn2Own Ireland 2025 competition, participants achieved impressive success, discovering 56 new zero-day vulnerabilities and earning a total of $792,750. This is the second phase of the competition, held in Cork, Ireland, where security specialists compete to identify critical vulnerabilities in popular devices and software.
One of the most notable performances was the successful hack of a Samsung Galaxy S25 device, in which a two-person team, Ken Gannon of the Mobile Hacking Lab and Dimitrios Valsamaras of the Summoning Team, exploited a complex combination of five flaws .
For this attack, they received a $50,000 prize and 5 points on the Master of Pwn leaderboard . Although the PHP Hooligans team managed to hack a QNAP TS-453E NAS device in one second, the exploited vulnerability had already been used in the program, so their achievement did not set a new record.
Other participants who attacked the QNAP TS-453E, Synology DS925 +, and Philips Hue bridge also received $20,000 each. These included Chumi Tsai of CyCraft Technology, as well as representatives of Verichains Cyber Force and Synacktiv Team. Additionally, on the second day, previously unknown vulnerabilities were successfully exploited in the Canon imageCLASS MF654Cdw printer, the Home Automation Green home automation system, the Synology CC400W camera, the Synology DS925+ NAS, the Amazon Smart Plug, and the Lexmark CX532adwe printer.
After two days of competition, the Summoning Team remains in the lead, having earned $167,500 and a score of 18. The first day of competition was also productive : participants discovered 34 vulnerabilities and received a total of $522,500. According to the competition rules, device manufacturers have 90 days to fix the discovered vulnerabilities before they are publicly disclosed by the ZDI project.
The final day of Pwn2Own, scheduled for October 24th, will feature new attempts to attack the Samsung Galaxy S25, as well as various storage and printing devices. A highlight is the demonstration of a no-click remote code execution attack on WhatsApp, potentially the most valuable offering, with a $1 million prize. A participant named Eugene from Team Z3 plans to attempt this attack.
The competition is supported by Meta, Synology, and QNAP . The 2025 program features eight categories, including flagship smartphones (Samsung Galaxy S25, iPhone 16, Pixel 9), home and office electronics, messaging apps, smart home devices, video surveillance systems, and wearables, including the Meta Quest 3/3S headset and Ray-Ban smart glasses.
This year, organizers have expanded the permitted attack vectors to include exploiting vulnerabilities via USB connections to locked smartphones. However, standard wireless protocols such as Wi-Fi, Bluetooth, and NFC continue to be used in conjunction with physical access.
Last year, in a similar Pwn2Own competition in Ireland, participants received a total prize of $1,078,750 for identifying over 70 vulnerabilities. The Viettel Cyber Security team emerged victorious, taking home $205,000 for successfully attacking QNAP, Sonos, and Lexmark devices.
In January 2026, ZDI will return to Tokyo with a car-based version of the Pwn2Own Automotive competition, held as part of the Automotive World trade show. Tesla will once again support it.
Redazione