Pwn2Own Ireland 2025 Day One Exploits and Results

On the first day of Pwn2Own Ireland 2025, security researchers demonstrated the exploitation of 34 unique zero-day vulnerabilities across a wide range of consumer and enterprise devices. The event, organized by Trend Micro's Zero Day Initiative (ZDI), awarded a total of $522,500 in cash prizes to participating teams and individuals for their successful exploits. One of the most notable achievements was by Team DDOS, who chained eight zero-day vulnerabilities to compromise the QNAP Qhora-322 Ethernet wireless router via its WAN interface and subsequently gained access to a QNAP TS-453E NAS device, earning them $100,000 and 8 Master of Pwn points. Multiple teams, including Synacktiv, Summoning Team, DEVCORE, and Rapid7, achieved root-level code execution on devices such as the Synology BeeStation Plus, Synology DiskStation DS925+, QNAP TS-453E, and Home Assistant Green, each receiving $40,000 for their efforts. STARLabs, Team PetoWorks, Team ANHTUD, and Ierae researchers successfully exploited the Canon imageCLASS MF654Cdw multifunction laser printer in four separate attempts, highlighting the device's vulnerability. STARLabs also managed to hack the Sonos Era 300 smart speaker, earning $50,000, while Team ANHTUD exploited the Philips Hue Bridge for a $40,000 reward. The Summoning Team used a two-zero-day exploit chain to gain root on the Synology ActiveProtect Appliance DP320, securing an additional $50,000. By the end of the day, the Summoning Team led the Master of Pwn leaderboard with 11.5 points, closely followed by Team DDOS. The competition featured eight categories, including flagship smartphones, messaging apps, smart home devices, printers, and home networking equipment, with a total prize pool of up to $2,000,000 and a record $1,000,000 single prize for a 0-click WhatsApp exploit. The ZDI coordinates responsible disclosure with affected vendors, granting them 90 days to patch vulnerabilities before public disclosure. The event's schedule included a diverse set of targets and participants, with each attempt carefully timed and monitored. Technical details of the exploits ranged from stack-based and heap-based buffer overflows to complex exploit chains involving multiple zero-days. The competition not only showcased the skills of top security researchers but also contributed to improving the security posture of widely used devices. The responsible disclosure process ensures that vendors are alerted to critical vulnerabilities before they can be weaponized by malicious actors. The first day of Pwn2Own Ireland 2025 underscored the ongoing need for robust security research and proactive vulnerability management in the technology ecosystem. The event's results will drive future security updates and influence best practices across the industry. The high-profile nature of the competition and the significant financial incentives continue to attract elite researchers and teams from around the world.