The hacking community celebrated the end of Pwn2Own Ireland 2025. Researchers demonstrated their skills by identifying 73 unique zero-day vulnerabilities across different devices.
The event, hosted by the Zero Day Initiative (ZDI), distributed a staggering $1,024,750 in prizes, highlighting the growing sophistication of cybersecurity threats and defenses.
Over three days, 56 bugs were rewarded before the final stretch, with competitors pushing the limits on smart home gadgets, printers, and mobile devices.
This year’s contest rewarded innovation and encouraged collaboration among vendors. Companies like Meta, Synology, and QNAP supported the event.
The final day kicked off with high anticipation, as 17 attempts remained. Teams tackled everything from network-attached storage to surveillance cameras, often chaining multiple vulnerabilities for maximum impact.
$1,024,750 – 73 unique bugs – a week of amazing research on display. #Pwn2Own Ireland had it all. Success. Failure. Intrigue. You name it. Congratulations to the Master of Pwn winners @SummoningTeam! Their outstanding work earned them $187,500 and 22 point. See you in Tokyo for… pic.twitter.com/Vxd5b0yJ55— Trend Zero Day Initiative (@thezdi) October 24, 2025
Standout performances included creative demos, such as loading the classic game Doom onto a compromised printer’s LCD screen, a nod to hackers’ flair for the dramatic.
Standout Wins And Creative Hacks Steal The Show
Chris Anastasio of Team Cluck earned $20,000 and 2 Master of Pwn points by exploiting a type confusion vulnerability in the Lexmark CX532adwe printer, granting full control over the device.
Confirmed! Chris Anastasio of Team Cluck used a single type confusion bug to exploit the Lexmark CX532adwe printer. He earns himself $20,000 and 2 Master of Pwn points. #Pwn2Own pic.twitter.com/ZsvnexVhQo— Trend Zero Day Initiative (@thezdi) October 23, 2025
Ben R. and Georgi G. from Interrupt Labs earned $50,000 for finding a flaw in the Samsung Galaxy S25. This flaw allowed the camera and location tracking to turn on without the user’s consent. This serves as a reminder of the privacy risks in modern smartphones.
Another big confirmation! Ben R. And Georgi G. of Interrupt Labs used an improper input validation bug to take over the Samsung Galaxy S25 – enabling the camera and location tracking in the process. They earn $50,000 and 5 Master of Pwn points. #Pwn2Own pic.twitter.com/oNhdefPR7k— Trend Zero Day Initiative (@thezdi) October 23, 2025
In the smart home arena, Xilokar combined four bugs, including an authentication bypass and underflow, to pwn the Philips Hue Bridge, securing $17,500 despite a partial collision with prior entries.
Similarly, Sina Kheirkhah of the Summoning Team used hard-coded credentials and an injection attack to take over a QNAP TS-453E NAS device, walking away with $20,000 and 4 points.
David Berard from Synacktiv impressed with a dual-bug attack on the Ubiquiti AI Pro surveillance camera, complete with a playful “Baby Shark” tune on the hacked system, earning $30,000 and 3 points.
Eyes wide shut! David Berard of @Synacktiv just breached the @Ubiquiti AI Pro surveillance system at #Pwn2Own. He also serenaded us with round of "Baby Shark" played through the speaker. He's off to the disclosure room with an ear worm and the details.— Trend Zero Day Initiative (@thezdi) October 23, 2025
Namnp from Viettel Cyber Security chained a crypto bypass and heap overflow to exploit another Philips Hue Bridge, boosting their Master of Pwn ranking into the top five with $20,000.
Interrupt Labs also shone in the printer category, using path traversal and untrusted search path bugs on the Lexmark CX532adwe for a reverse shell and that unforgettable Doom demo, claiming $10,000.
Another big confirmation! Ben R. And Georgi G. of Interrupt Labs used an improper input validation bug to take over the Samsung Galaxy S25 – enabling the camera and location tracking in the process. They earn $50,000 and 5 Master of Pwn points. #Pwn2Own pic.twitter.com/oNhdefPR7k— Trend Zero Day Initiative (@thezdi) October 23, 2025
Collisions tempered some victories; for instance, Team Viettel’s heap-based buffer overflow on the Lexmark was unique but paired with a duplicate, still yielding $7,500.
The Thalium team from Thales Group faced similar hurdles on the Philips Hue Bridge, earning $13,500 for their novel heap overflow amid repeats.
Challenges, Withdrawals, And The Master Of Pwn Crown
Not every attempt succeeded. Daniel Frederic and Julien Cohen-Scali from Fuzzinglabs failed to fully exploit a QNAP TS-453E within the time limit, as did Frisk and Opcode from Inequation Group on the Meta Quest 3S VR headset. They achieved a denial-of-service, but fell short of code execution.
Withdrawals included CyCraft Technology’s Amazon Smart Plug attempt and Team Z3’s WhatsApp entry, reflecting the high stakes and preparation involved.
pic.twitter.com/cE3pSZklzA— Trend Zero Day Initiative (@thezdi) October 23, 2025
In the end, the Summoning Team clinched the Master of Pwn title, amassing points through multiple category wins that showcased their preparation.
This is how we imagine @SummoningTeam woke up this morning as the new Masters of Pwn
If you missed it, here are the 2025 #Pwn2Own Ireland final results: pic.twitter.com/9i90ZeUxMb— Trend Micro (@TrendMicro) October 24, 2025
Their victories, including Kheirkhah’s QNAP hack, underscored the value of diverse skills in vulnerability research. ZDI praised all participants for advancing security, noting the event’s role in responsibly disclosing flaws to vendors.
Summary of Vulnerabilities Exploited
Researcher/TeamTarget DeviceVulnerabilities ExploitedPrizeMaster of Pwn PointsNotesXilokar (@Xilokar)Philips Hue BridgeAuthentication bypass, underflow (plus two others)$17,5003.5Partial collisionChris Anastasio (Team Cluck)Lexmark CX532adwe PrinterType confusion$20,0002Full successBen R. and Georgi G. (Interrupt Labs)Samsung Galaxy S25Improper input validation$50,0005Enabled camera and location trackingYannik Marchand (kinnay)Philips Hue BridgeIncorrect Implementation of Authentication Algorithm (plus two others)$13,5002.75Partial collisionDavid Berard (Synacktiv)Ubiquiti AI Pro (Surveillance)Pair of bugs (unspecified)$30,0003Included “Baby Shark” demoSina Kheirkhah (@SinSinology, Summoning Team)QNAP TS-453EHard-coded credentials, injection$20,0004Full successTeam ViettelLexmark CX532adwe PrinterHeap-based buffer overflow (plus one other)$7,5001.5Partial collisionTeam @NeodymeCanon imageCLASS MF654CdwInteger overflow$10,0002Full successInterrupt LabsLexmark CX532adwe PrinterPath traversal, untrusted search path$10,0002Reverse shell and Doom demoThalium Team (Thales Group)Philips Hue BridgeHeap-based buffer overflow (plus two others)$13,5002.75Partial collisionnamnp (Viettel Cyber Security)Philips Hue BridgeCrypto bypass, heap overflow$20,0004Full success
Looking ahead, the next challenge awaits at Pwn2Own Automotive in Tokyo from January 21-23, 2026, expanding to include EV chargers and more.
Hackers are finding new vulnerabilities all the time. Events like this are important for strengthening digital security around the world.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Hackers Exploited 73 0-Day Vulnerabilities and Earned $1,024,750 appeared first on Cyber Security News.
