The first day of Pwn2Own Ireland 2025 concluded with remarkable results, as security researchers discovered 34 distinct zero-day vulnerabilities across a variety of smart devices.
Every single exploit attempt succeeded, resulting in a total prize payout of $522,500. The event, taking place in Cork, Ireland, from October 21 to 24, brings together elite hackers to challenge widely used devices, including printers, routers, and smart home systems.
One standout achievement was by Team DDOS, where Bongeun Koo and Evangelos Daravigkas chained eight different vulnerabilities, including multiple injection flaws, to compromise the QNAP Qhora-322 router paired with a TS-453E NAS in the challenging “SOHO Smashup” competition. Their success earned them $100,000 and 10 Master of Pwn points, placing them near the top of the leaderboard.
Other notable successes included Team Neodyme exploiting a stack buffer overflow on the HP DeskJet 2855e printer for $20,000, and Synacktiv executing root-level code on the Synology BeeStation Plus using a stack overflow, earning $40,000.
Printers remained a frequent target. STARLabs used a heap buffer overflow on the Canon imageCLASS MF654Cdw to win $20,000 in round one. Later, SHIMIZU Yutaro from GMO Cybersecurity claimed $10,000 with another stack overflow on the same Canon model, while Team PetoWorks leveraged an invalid pointer release bug for an additional $10,000. Team ANHTUD concluded printer attacks with a heap buffer overflow, earning $10,000 more, highlighting how susceptible everyday office printers are to serious security breaches.
Smart home devices were heavily impacted as well. Summoning Team’s Sina Kheirkhah executed code on the Synology DiskStation DS925+ using two vulnerabilities for $40,000. Stephen Fewer from Rapid7 combined flaws such as server-side request forgery and command injection to compromise the Home Assistant Green hub, also winning $40,000. Compass Security later used arbitrary file write and cleartext data exposure on the same hub for another $20,000, while dmdung from STAR Labs exploited out-of-bounds access on the Sonos Era 300 speaker to claim $50,000.
The Philips Hue Bridge drew intense competition. Team ANHTUD began with a four-bug chain, including overflows and out-of-bounds reads, winning $40,000. Hank Chen from InnoEdge Labs followed with an authentication bypass and out-of-bounds write for $20,000. Though Team DDOS withdrew their attempt, the challenge remained competitive.
The DEVCORE Research Team impressed with multiple injection attacks and a rare format string bug on the QNAP TS-453E, securing $40,000, while Summoning Team ended strong by exploiting two vulnerabilities on the Synology ActiveProtect DP320 appliance, adding $50,000 more. McCaulay Hudson from Summoning earned $12,500 using four bugs on the Home Assistant Green, despite some partial overlaps.
In total, 17 exploits were completed across network storage, printers, and surveillance devices. Summoning Team leads the Master of Pwn rankings with 11.5 points after collecting $102,500, followed closely by Team DDOS with 10 points. Other teams like Synacktiv and Rapid7 have 4 points each, contributing to the final hacker rankings.
Looking Ahead to Days Two and Three
Pwn2Own Ireland’s main goal is to identify vulnerabilities before malicious hackers can exploit them. Vendors have 90 days to issue patches after disclosure. This year, up to $2 million in prizes is available, including a massive $1 million reward for a zero-click WhatsApp exploit.
Day two will focus on network storage, printers, smart home devices, and the Samsung Galaxy S25 smartphone, with new targets like Meta wearables expected to increase competition. Last year, over $1 million was awarded for 70 vulnerabilities, and 2025 could surpass that figure.
