At this year’s Pwn2Own Ireland cybersecurity competition, security researchers achieved unprecedented success, walking away with a record-breaking $1,024,750 after uncovering 73 zero-day vulnerabilities across a diverse range of modern devices. The three-day hacking contest, held in Cork, Ireland, saw competitors systematically breach smartphones including Apple’s iPhone 16, Samsung’s Galaxy S25, and Google’s Pixel 9, alongside cutting-edge gadgets from Meta, QNAP, and Synology.
Summoning Team Dominates Competition with Strategic Device Breaches
The Summoning Team emerged victorious at Pwn2Own Ireland 2025, securing first place with an impressive 22 Master of Pwn points and $187,500 in prize money. Their systematic approach to hacking multiple high-profile devices demonstrated exceptional technical expertise and strategic planning throughout the competition. The team successfully breached the Samsung Galaxy S25, multiple Synology network-attached storage systems, including the DiskStation DS925+ and ActiveProtect Appliance DP320, the Home Assistant Green smart home hub, the Synology CC400W security camera, and the QNAP TS-453E NAS device.
Team ANHTUD claimed second place with 76,750and11.5MasterofPwnpoints, while Team Synactiv rounded out the podium in third place with 90,000 in prizes and 11 Master of Pwn points. The competition’s structure rewarded both individual exploits and comprehensive attack chains, encouraging researchers to develop sophisticated multi-stage attacks that mirror real-world threat scenarios.
Galaxy S25 Hack Enables Camera and Location Tracking
One of the competition’s most significant achievements was the Samsung Galaxy S25 hack, where researchers not only exploited a critical vulnerability but also demonstrated the severe privacy implications by enabling unauthorized camera access and real-time location tracking. This sophisticated attack earned the successful team an additional $50,000 bounty, highlighting the premium placed on exploits that compromise user privacy and device security.
The Galaxy S25 exploit utilized five different zero-day vulnerabilities in a complex attack chain, showcasing how modern smartphone security can be systematically compromised through carefully orchestrated multi-stage attacks. Ken Gannon of Mobile Hacking Lab and Dimitrios Valsamaras of Summoning Team executed this impressive demonstration, proving that even flagship devices with advanced security features remain vulnerable to determined attackers.
“Ken Gannon / 伊藤 剣 of Mobile Hacking Lab, and Dimitrios Valsamaras of Summoning Team used five different bugs to exploit the Samsung Galaxy S25. They earn $50,000 and 5 Master of Pwn points.” – Zero Day Initiative Day Two Results
Zero Day Initiative Promotes Responsible Vulnerability Disclosure
The Pwn2Own competition, organized by Trend Micro’s Zero Day Initiative (ZDI), serves a crucial role in the cybersecurity ecosystem by encouraging responsible disclosure of vulnerabilities before malicious actors can exploit them in real-world attacks. This proactive approach to security research helps vendors identify and patch critical flaws that could otherwise remain undiscovered until exploited by cybercriminals.
The competition’s comprehensive scope covered eight distinct categories of devices, including printers, network storage systems, messaging applications, smart home devices, surveillance equipment, home networking hardware, flagship smartphones, and wearable technology. This broad coverage ensures that security researchers examine vulnerabilities across the entire spectrum of connected devices that consumers and businesses rely on daily.
USB-Based Exploits Expand Traditional Attack Surface Significantly
This year’s Pwn2Own Ireland introduced a significant expansion of the attack surface by incorporating USB-based exploits that required researchers to hack locked phones through direct physical access. This addition reflects the evolving threat landscape where attackers may gain temporary physical access to devices, such as during border crossings, hotel stays, or other scenarios where devices might be briefly unattended.
The inclusion of USB port exploitation alongside traditional wireless protocols like Bluetooth, Wi-Fi, and NFC demonstrates the competition’s commitment to addressing realistic attack scenarios. Physical access attacks represent a growing concern in cybersecurity, as they can bypass many software-based security measures and provide attackers with deeper system access than remote exploits.
Vendor Patch Timeline Ensures Coordinated Security Response
Following the successful demonstration of vulnerabilities at Pwn2Own, affected vendors receive a 90-day window to develop and release security patches before the Zero Day Initiative publicly discloses the technical details. This coordinated disclosure timeline strikes a balance between giving manufacturers adequate time to address security flaws while ensuring that the broader security community eventually benefits from the research findings.
The structured approach to vulnerability disclosure helps prevent the weaponization of discovered exploits while maintaining transparency in the cybersecurity research community. Vendors can use this period to thoroughly test patches, coordinate with their supply chains, and prepare comprehensive security updates that address not only the specific vulnerabilities but also related security concerns that may be discovered during the remediation process.
Pwn2Own Ireland 2025 has set new benchmarks for cybersecurity research competitions, with its record-breaking $1,024,750 payout and 73 zero-day vulnerabilities demonstrating both the skill of security researchers and the persistent challenges facing device manufacturers. The competition’s expansion to include USB-based physical access attacks alongside traditional wireless exploits reflects the evolving threat landscape that security professionals must navigate.