$1,000,000 for WhatsApp 0-Click RCE Exploit at Pwn2Own Ireland 2025

Trend Micro’s Zero Day Initiative (ZDI) announces an unprecedented $1,000,000 bounty for a zero-click remote code execution (RCE) exploit targeting WhatsApp at the upcoming Pwn2Own Ireland 2025 competition. 

This record-breaking reward, co-sponsored by Meta, represents the largest single payout in the contest’s history and underscores the critical importance of securing the world’s most popular messaging platform.

Key Takeaways
1. ZDI offers record payout for WhatsApp zero-click exploits
2. 8-category contest in Cork; registration closes Oct 16th
3. Bounty jump from $300K targets nation-state threats

WhatsApp Zero-Click Exploit Bounties

Meta’s strategic partnership with Pwn2Own Ireland 2025 marks a significant shift in how tech giants approach vulnerability research incentives. 

With WhatsApp serving over three billion users globally, the messaging platform has become an attractive target for nation-state actors and advanced persistent threat (APT) groups seeking zero-click exploitation capabilities. 

The substantial bounty increase from last year’s $300,000 reflects Meta’s commitment to proactive security research, particularly for vulnerabilities that could enable attackers to compromise devices without any user interaction.

The messaging category now offers varying reward tiers, with the million-dollar prize specifically targeting zero-click exploits that achieve full remote code execution. 

Lesser awards will be available for other WhatsApp vulnerabilities, including those requiring minimal user interaction or achieving privilege escalation rather than complete system compromise, reads the advisory.

This tiered approach encourages researchers to explore the full attack surface of the messaging application, from memory corruption vulnerabilities to logic flaws in message parsing routines.

Pwn2Own Ireland 2025, scheduled for October 21-24 in Cork, will feature eight distinct categories encompassing the modern digital ecosystem. 

Beyond the headline-grabbing messaging category, contestants will target mobile phones through newly introduced USB attack vectors, challenging researchers to demonstrate physical proximity attacks against locked devices. 

The SOHO Smashup category continues to address work-from-home security concerns, requiring participants to chain exploits across network infrastructure devices within a 30-minute timeframe to earn $100,000 and 10 Master of Pwn points.

The contest’s evolution reflects contemporary threat landscapes, with categories for smart home devices, Network Attached Storage (NAS) systems from QNAP and Synology, surveillance systems, and Meta’s wearable technology, including Ray-Ban Smart Glasses and Quest 3/3S headsets. 

Each category requires exploitation through exposed network services, RF attack surfaces, or proximity-based vectors, mimicking real-world attack scenarios that threat actors might employ.

Registration closes at 5:00 PM Irish Standard Time on October 16, 2025, with contest order determined through random drawing. 

Last year’s event awarded $1,066,625 for over 70 unique zero-day vulnerabilities, establishing a high bar for this year’s competition. 

With Meta’s substantial investment and expanded target categories, Pwn2Own Ireland 2025 promises to showcase cutting-edge exploitation techniques while advancing global cybersecurity through responsible disclosure practices.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches