The hacker contest Pwn2Own Ireland 2025 has concluded. This time, participants earned $1.02 million, demonstrating 73 exploits for zero-day vulnerabilities in popular devices and services. Researchers targeted smartphones, NAS devices, routers, smart home systems, and even Ray-Ban Smart Glasses. However, the announced WhatsApp hack, which was expected to earn the researchers $1 million, did not take place.
The Pwn2Own event was traditionally organized by Trend Micro’s Zero Day Initiative (ZDI), with support from Meta*, QNAP, and Synology.
The hacking contest featured eight categories: researchers were invited to demonstrate exploitation of bugs in flagship smartphones (Apple iPhone 16, Samsung Galaxy S25, and Google Pixel 9), messaging apps, smart home devices, printers, home networking equipment, network-attached storage (NAS) systems, video surveillance equipment, and wearable devices (including Meta’s Ray-Ban smart glasses and the Quest 3/3S headset).
This year, for the first time in the competition’s history, a physical attack scenario was added to the program — exploiting bugs via the USB port of a locked smartphone. At the same time, familiar wireless vectors like Bluetooth, Wi‑Fi, and NFC were also relevant.
The winner of Pwn2Own Ireland 2025 was the Summoning Team, earning a total of $187,500 and 22 Master of Pwn points. Over three days, the team demonstrated successful compromises of the Samsung Galaxy S25, Synology and QNAP NAS devices, the Home Assistant Green system, and the Synology CC400W camera.
Second place went to the ANHTUD specialists ($76,750 and 11.5 Master of Pwn points), and third — to the Synactiv team ($90,000 and 11 Master of Pwn points).
On the first day alone, participants demonstrated 34 unique bugs, earning over half a million dollars; on the second day — another 22 vulnerabilities.
It is worth noting the successful attack by the PHP Hooligans team, which took just one second to compromise a Qnap TS-453E NAS device. However, the vulnerability the researchers exploited had already been used in the contest earlier, so it netted the team only $10,000 and two Master of Pwn points.
In addition, participants successfully exploited zero-day vulnerabilities in a Canon imageCLASS MF654Cdw printer, Home Assistant Green, a Synology CC400W camera, a Synology DS925+ NAS device, and an Amazon smart plug. And they even ran Doom on the display of a Lexmark CX532adwe printer.
Another highlight of the finale was the Galaxy S25 hack by Interrupt Labs: the researchers found an input validation bug, then enabled the camera and location tracking, earning $50,000 for this exploit.
However, the competition drew the most attention this year because of a failed demonstration of a million-dollar exploit that purportedly compromises WhatsApp. A researcher from team Z3, known by the pseudonym Eugene (3ugen3), was supposed to demonstrate a zero-click exploit enabling remote arbitrary code execution. Such an attack carries a $1 million reward.
However, at the last minute Eugene declined to participate, stating that the exploit was “not ready yet.” Initially, ZDI explained the holdup as complications due to a delayed flight, but later clarified: the Z3 team chose to disclose the vulnerability details privately — first to ZDI analysts, and then to Meta’s developers.
This episode sparked lively debate in the infosec community: many questioned whether a working exploit for the messenger existed at all. Ultimately, WhatsApp representatives stated that they had received information from the researcher about two low-risk issues that do not allow arbitrary code execution. The company noted that Z3 did not demonstrate a real attack, but thanked the researchers and Pwn2Own for their cooperation.
All bugs found and demonstrated at Pwn2Own will be fixed within 90 days, after which ZDI will publish the technical details of the vulnerabilities.
The next stage of the competition will take place in January 2026 — the third Pwn2Own Automotive will be held in Tokyo, where participants will once again hack Tesla vehicles and more.