Pwn2Own Ireland 2025 Day Two: Multiple Zero-Day Exploits Demonstrated Across Consumer Devices
Security researchers at Pwn2Own Ireland 2025 demonstrated 56 unique zero-day vulnerabilities across a range of consumer devices on the second day of the competition, earning a total of $792,750 in rewards. Notable exploits included a major Samsung Galaxy S25 compromise by The Summoning Team and Mobile Hacking Lab, who chained five vulnerabilities to achieve their result, as well as successful attacks against QNAP TS-453E, Synology DS925+, Canon imageCLASS MF654Cdw printer, Home Automation Green, and Phillips Hue Bridge. The event featured participation from leading teams and individuals, with The Summoning Team leading the scoreboard after their Samsung Galaxy exploit, and other teams such as CyCraft, Verichains, and Qrious Secure also earning significant rewards for their discoveries.
The competition, sponsored by Meta, Synology, and QNAP, covered eight categories including flagship smartphones, printers, network storage, home networking gear, messaging apps, smart home and surveillance devices, and wearables. Vendors now have 90 days to address the vulnerabilities before public disclosure. Some exploits, such as the Synology BeeStation Plus, were ruled out of scope for the competition. The event highlights the ongoing risks posed by zero-day vulnerabilities in widely used consumer and enterprise devices, emphasizing the importance of coordinated vulnerability disclosure and rapid patching by vendors.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Summoning Team wins Master of Pwn at Pwn2Own Ireland 2025
Summoning Team was named the overall Master of Pwn winner at the conclusion of Pwn2Own Ireland 2025. The title reflected the team's top performance across the event's exploit attempts and point standings.
Pwn2Own Ireland 2025 concludes with $1,024,750 awarded
By the end of Pwn2Own Ireland 2025, the competition had awarded a total of $1,024,750. The final results marked the close of the event after multiple days of exploit demonstrations across consumer and SMB devices.
Pwn2Own Day Two total reaches $792,000 for 56 zero-days
After the second day of the competition, organizers had paid out $792,000 for 56 zero-day vulnerabilities in total. This reflected the cumulative results from Day One and Day Two of Pwn2Own Ireland 2025.
Day Two exploits add new zero-days against printers, smart home, Hue, and QNAP
During Day Two of Pwn2Own Ireland 2025, researchers demonstrated successful exploits against a Canon imageCLASS MF654Cdw printer, Home Automation Green, a Philips Hue Bridge, and a QNAP TS-453E. Some bug chains included collisions with previously reported issues, while a Synology BeeStation Plus exploit by Sina Kheirkhah was ruled technically successful but out of scope.
Pwn2Own Ireland 2025 Day One awards $522,500 for 34 zero-days
On the first day of Pwn2Own Ireland 2025, contestants earned a total of $522,500 for 34 unique zero-day vulnerabilities. These results established the initial Master of Pwn standings going into Day Two.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Summoning Team won Master of Pwn as Pwn2Own Ireland Rewards $1,024,750
securityaffairs.com
Open sourcePwn2Own Day 2: Organizers paid $792K for 56 0-days
securityaffairs.com
Open sourcePwn2Own Ireland 2025 - Day Two Results
thezdi.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Pwn2Own Ireland 2025 Day One Exploits and Results
On the first day of Pwn2Own Ireland 2025, security researchers demonstrated the exploitation of 34 unique zero-day vulnerabilities across a wide range of consumer and enterprise devices. The event, organized by Trend Micro's Zero Day Initiative (ZDI), awarded a total of $522,500 in cash prizes to participating teams and individuals for their successful exploits. One of the most notable achievements was by Team DDOS, who chained eight zero-day vulnerabilities to compromise the QNAP Qhora-322 Ethernet wireless router via its WAN interface and subsequently gained access to a QNAP TS-453E NAS device, earning them $100,000 and 8 Master of Pwn points. Multiple teams, including Synacktiv, Summoning Team, DEVCORE, and Rapid7, achieved root-level code execution on devices such as the Synology BeeStation Plus, Synology DiskStation DS925+, QNAP TS-453E, and Home Assistant Green, each receiving $40,000 for their efforts. STARLabs, Team PetoWorks, Team ANHTUD, and Ierae researchers successfully exploited the Canon imageCLASS MF654Cdw multifunction laser printer in four separate attempts, highlighting the device's vulnerability. STARLabs also managed to hack the Sonos Era 300 smart speaker, earning $50,000, while Team ANHTUD exploited the Philips Hue Bridge for a $40,000 reward. The Summoning Team used a two-zero-day exploit chain to gain root on the Synology ActiveProtect Appliance DP320, securing an additional $50,000. By the end of the day, the Summoning Team led the Master of Pwn leaderboard with 11.5 points, closely followed by Team DDOS. The competition featured eight categories, including flagship smartphones, messaging apps, smart home devices, printers, and home networking equipment, with a total prize pool of up to $2,000,000 and a record $1,000,000 single prize for a 0-click WhatsApp exploit. The ZDI coordinates responsible disclosure with affected vendors, granting them 90 days to patch vulnerabilities before public disclosure. The event's schedule included a diverse set of targets and participants, with each attempt carefully timed and monitored. Technical details of the exploits ranged from stack-based and heap-based buffer overflows to complex exploit chains involving multiple zero-days. The competition not only showcased the skills of top security researchers but also contributed to improving the security posture of widely used devices. The responsible disclosure process ensures that vendors are alerted to critical vulnerabilities before they can be weaponized by malicious actors. The first day of Pwn2Own Ireland 2025 underscored the ongoing need for robust security research and proactive vulnerability management in the technology ecosystem. The event's results will drive future security updates and influence best practices across the industry. The high-profile nature of the competition and the significant financial incentives continue to attract elite researchers and teams from around the world.
Apr 19, 2026
Pwn2Own Berlin Zero-Days Hit Edge, Windows 11, and AI Platforms
Researchers at **Pwn2Own Berlin 2026** earned **$523,000** on the first day after demonstrating **24 unique zero-day vulnerabilities** against fully patched targets spanning browsers, operating systems, AI platforms, and NVIDIA-related infrastructure. The standout exploit came from **Orange Tsai** of **DEVCORE Research Team**, who chained **four logic bugs** to escape the **Microsoft Edge** sandbox and collected **$175,000**. **Windows 11** was also successfully compromised three times through separate local privilege-escalation zero-days, underscoring continued risk in core desktop platforms. Other successful demonstrations targeted **Red Hat Linux for Workstations**, **NVIDIA Container Toolkit**, **NVIDIA Megatron Bridge**, **LiteLLM**, **Chroma**, **OpenAI Codex**, and **LM Studio**, showing that enterprise AI tooling was a major attack surface at the event. Some attempts, including attacks against **Oracle Autonomous AI Database** and one **OpenAI Codex** entry, failed, but AI products still featured prominently as the competition’s enterprise-and-AI theme drove testing. After day one, **DEVCORE Research Team** led the standings with **$205,000**, and disclosed bugs now move into the contest’s **90-day vendor remediation window**.
May 25, 2026
Critical RCE Vulnerability in Synology BeeStation Demonstrated at Pwn2Own
Synology addressed a critical remote code execution vulnerability (CVE-2025-12686) in its BeeStation product after the flaw was publicly demonstrated at the Pwn2Own Ireland 2025 competition. The vulnerability, which received a CVSS score of 9.8, stems from improper buffer size checks that allow remote attackers to execute arbitrary code on affected devices. Synology has released patches for all versions of BeeStation OS, urging users to upgrade to version 1.3.2-65648 or later to mitigate the risk. The flaw was one of several zero-days showcased at Pwn2Own Ireland 2025, where researchers were awarded over $1 million for discovering 73 unique vulnerabilities across a range of consumer and enterprise devices. The event highlighted the ongoing risks posed by zero-day vulnerabilities in widely used storage and smart home products. Other vendors, including QNAP, also issued patches for vulnerabilities revealed during the competition.
Mar 21, 2026