Security researchers exploited 34 unique zero‑day vulnerabilities on the first day of the Pwn2Own Ireland 2025 competition and collected $522,500 in cash awards, organisers said. The event is run by Trend Micro’s Zero Day Initiative (ZDI), which coordinates responsible disclosure and gives affected vendors a 90‑day window to release fixes before public disclosure.
The day’s largest single prize went to Bongeun Koo and Evangelos Daravigkas of Team DDOS, who chained multiple flaws to compromise a QNAP Qhora‑322 router via its WAN interface and gain access to a QNAP TS‑453E NAS, earning $100,000. Details of their chain were shared on social media by the contest’s tracking account, including a post documenting the chaining eight zero-day flaws, and a linked post from the team is available here.
Other successful demonstrations included full root compromises that earned $40,000 apiece for Synacktiv Team, Sina Kheirkhah of the Summoning Team, the DEVCORE Team, and Stephen Fewer of Rapid7 against devices including the Synology BeeStation Plus, the Synology DiskStation DS925+, the QNAP TS‑453E and the Home Assistant Green. Multiple teams including STARLabs, Team PetoWorks, Team ANHTUD and Ierae exploited a Canon imageCLASS MF654Cdw printer during the day, while STARLabs also earned $50,000 for a Sonos Era 300 compromise and Team ANHTUD collected $40,000 for an exploit of the Philips Hue Bridge.
Sina Kheirkhah and McCaulay Hudson of the Summoning Team combined two zero‑day vulnerabilities to gain root on a Synology ActiveProtect Appliance DP320 and were awarded $50,000. The Summoning Team collected a total of $102,500 on day one and moved to the top of the Master of Pwn leaderboard with 11.5 points.
Pwn2Own Ireland 2025 covers a wide set of targets, with the program outlining that it features eight categories including flagship smartphones, messaging apps, smart home devices, printers, home networking and network storage systems, surveillance equipment, and wearable technology. The ZDI also expanded the mobile category this year to allow USB‑port exploitation of locked handsets while retaining wireless protocols such as Bluetooth, Wi‑Fi and NFC; organisers published a schedule noting that on the second day researchers will again target network‑attached storage, printers, smart home and surveillance systems as well as the Samsung Galaxy S25.
ZDI announced earlier in the year that it would offer a $1 million reward for a demonstrated zero‑click WhatsApp exploit that achieves code execution without user interaction. Meta, QNAP and Synology are among the co‑sponsors of Pwn2Own Ireland, which runs from October 21 to October 24 in Cork, Ireland. ZDI also said it will return in January 2026 to the Automotive World show in Tokyo for a Pwn2Own Automotive contest, with details posted in a ZDI notice about the event for its third Pwn2Own Automotive contest.