From October 21st to 24th, 2025, the city of Cork, Ireland, hosted the annual live hacking contest Pwn2Own Ireland 2025, organised by the Zero Day Initiative (ZDI). Over three days, cybersecurity researchers from around the world attempted to breach devices, services and systems, including home routers, NAS appliances, printers and messaging apps like WhatsApp. In return, researchers got huge cash prizes.
Below is a day-by-day breakdown of what happened, who succeeded, and some of the key takeaways from this year’s contest.
Day 1: October 21
The first day opened with strong momentum. ZDI announced that 17 exploit attempts were scheduled, and remarkably, there were no failures on the day. A total of $522,500 USD was awarded for 34 unique zero-day vulnerabilities.
Among the highlights:
- Team Neodyme exploited an HP DeskJet 2855e printer using a stack-based buffer overflow, earning USD 20,000 and 2 “Master of Pwn” points.
- STARLabs targeted a Canon imageCLASS MF654Cdw printer via a heap overflow, also earning USD 20,000 and 2 points.
- Synacktiv achieved root code execution on a Synology BeeStation Plus NAS, claiming USD 40,000 and 4 points.
- Team DDOS created an exploit chain using eight different bugs, including multiple injection flaws, to compromise a QNAP QHora-322 router and then pivot to a QNAP TS-453E NAS device in the SOHO “Smashup” category. They earned USD 100,000 and 10 points for that entry.
Day 2: October 22
By the second day, ZDI reported that participants had already earned more than half a million dollars in prizes as researchers moved from printers and NAS systems to smart home gear, showing that nearly any connected device could be a target.
The much-talked-about one-million-dollar WhatsApp challenge remained untouched, but the series of successful hacks showed how everyday smart devices can be hacked if exploited by third parties with malicious intent.
Some of the key wins included:
- PHP Hooligans exploited the Canon imageCLASS MF654Cdw printer via an out-of-bounds write, gaining USD 10,000 and 2 points.
- Viettel Cyber Security used a command injection combined with two bug collisions to exploit a Home Automation Green device, earning USD 12,500 and 2.75 points.
- Qrious Secure paired two bugs to compromise a Philips Hue Bridge; though only one bug was unique, they still collected USD 16,000 and 3.75 points.
- CyCraft Technology used a single code injection bug to exploit the QNAP TS-453E NAS, earning USD 20,000 and 4 points.
Day 3: October 23
By Day 3, the total payouts reached USD 1,024,750 for 73 unique zero-day bugs, according to the final blog post. Some standout moments included:
- A team from Interrupt Labs used an improper input validation bug to take control of a Samsung Galaxy S25 smartphone; the reward was USD 50,000 and 5 points.
- Synacktiv used two bugs to exploit a Ubiquiti AI Pro surveillance system and earned USD 30,000 and 3 points.
- Summoning Team (led by Sina Kheirkhah) successfully used a hard-coded credential plus injection to exploit a QNAP TS-453E, earning USD 20,000 and 4 points.
- A few entries were withdrawn or deemed collisions (i.e., bug chains that reused previously registered flaws), but they still earned reduced prizes. For example, one exploit on a Philips Hue Bridge earned USD 17,500 despite a collision. (Zero Day Initiative)
At the close of Day 3, the organisers announced that the contest had concluded and the final “Master of Pwn” title went to the Summoning Team.
Key take-aways
- The cash prize for a successful zero-click exploit of WhatsApp reached USD 1,000,000, marking the largest single target in the contest’s history (though no winner for that category was publicly announced).
- The diversity of targets from printers and NAS devices to smart home hubs and smartphones highlights how many types of connected equipment are still exposed to significant risk.
- Many successful attacks involved “collision” bugs (i.e., vulnerabilities similar or identical to ones already used earlier in the contest). While still rewarded, these pay less and illustrate how many weaknesses are already known (to researchers at least).
- The contest reinforced the value of organised, public vulnerability-disclosure efforts: vendors participating get early warning so they can patch systems before real-world malicious actors exploit them.
Final thoughts
Pwn2Own Ireland 2025 showed once again that even ordinary devices like routers, printers, and smart home systems can be breached with the right technical insight. Events like this highlight why coordinated research and disclosure are essential for keeping technology secure.
The large prize pool showed how seriously both researchers and the industry take these risks. And with Summoning Team crowned as Master of Pwn, the event wrapped up with plenty of attention and a few lessons for everyone watching.
Note: The contest was officially scheduled for October 21–24 in Cork, Ireland, though all live hacking rounds wrapped up on October 23. The final day was reserved for administrative wrap-up and closing activities.
