At Pwn2Own Ireland 2025 hacking competition, cybersecurity researchers from Team Z3 have withdrawn their high-stakes demonstration of a potential zero-click remote code execution (RCE) vulnerability in WhatsApp, opting instead for a private coordinated disclosure to Meta.
The event, held in Cork, Ireland, from October 21-23, featured a record-breaking $1 million bounty for such a WhatsApp exploit, drawing global attention to the platform’s security amid its three billion users.
The withdrawal disappointed on-site spectators and fellow competitors, as the exploit was poised to be the contest’s crown jewel, potentially earning Team Z3 the largest single payout in Pwn2Own history.
According to the Zero Day Initiative (ZDI), the event organizers, Team Z3 felt their research was not ready for a live public display.
Despite the no-show, ZDI emphasized the positive outcome, noting that initial assessments by their analysts will precede handover to Meta engineers, ensuring a structured response to any validated flaws.
Meta, WhatsApp’s parent company and a co-sponsor of Pwn2Own Ireland alongside Synology and QNAP, expressed continued interest in the findings, underscoring their commitment to bolstering the app’s defenses against sophisticated threats like zero-click attacks.
These exploits, which require no user interaction, have been weaponized in past spyware campaigns targeting high-profile individuals.
By facilitating this private channel, ZDI aims to give Meta ample time up to 90 days post-event to patch issues before public revelation, aligning with ethical hacking norms.
The episode highlights the evolving landscape of bug bounties and coordinated disclosures in cybersecurity.
While Pwn2Own Ireland ultimately awarded $1,024,750 for 73 unique zero-days across devices like the Samsung Galaxy S25 and various printers, the WhatsApp saga reminds vendors of the hidden risks in ubiquitous apps.
No details on the vulnerability’s specifics, such as affected versions or CVE assignment, have surfaced yet, but experts anticipate Meta will address it swiftly to mitigate potential real-world exploitation.
As the dust settles, Team Z3’s decision prioritizes responsible revelation over spectacle, potentially averting widespread harm. The cybersecurity community watches closely, awaiting Meta’s response and any patches in upcoming security advisories.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
