Full Report
The Pwn2Own Ireland 2025 hacking competition has ended with security researchers collecting $1,024,750 in cash awards after exploiting 73 zero-day vulnerabilities. [...]
Analysis Summary
As a vulnerability research specialist, here is a summary of the information provided regarding the Pwn2Own Ireland 2025 findings.
***
# Vulnerability: Zero-Day Exploits Discovered at Pwn2Own Ireland 2025
## CVE Details
- **CVE ID:** Not individually specified. The article reports on **73 zero-day vulnerabilities** discovered across multiple products, none of which have received public CVE assignments prior to this summary (as they are new findings from the contest).
- **CVSS Score:** Not specified for individual bugs, as the findings are preliminary to the responsible disclosure process.
- **CWE:** Not specified.
## Affected Systems
- **Products:** A wide array of consumer and enterprise technology, including:
* Apple iPhone 16
* Samsung Galaxy S25
* Google Pixel 9
* Meta Ray-Ban Smart Glasses
* Meta Quest 3/3S headsets
* Synology DiskStation DS925+ NAS
* Synology ActiveProtect Appliance DP320 NAS
* Synology CC400W camera
* QNAP TS-453E NAS device
* Home Assistant Green
* Printers, network storage systems, messaging apps, smart home devices, and surveillance equipment.
- **Versions:** Specific vulnerable versions are not listed, as they are product implementations targeted during the live competition.
- **Configurations:** Attacks included:
* Traditional wireless protocols (Bluetooth, Wi-Fi, NFC).
* New attack surface: USB port exploitation on locked mobile handsets (physical connection required).
## Vulnerability Description
The information describes the successful exploitation of **73 distinct zero-day vulnerabilities** across consumer electronics and IT infrastructure targets during the Pwn2Own Ireland 2025 competition. Specific examples include:
1. **Samsung Galaxy S25:** Exploited via an **improper input validation bug** to gain control, leading to location tracking and camera activation.
2. **WhatsApp:** A **Zero-Click Remote Code Execution (RCE)** zero-day was found by Team Z3 but was **withdrawn** for private disclosure.
## Exploitation
- **Status:** **PoC available** (Proof-of-Concept demonstrated live during the contest).
- **Complexity:** Implies varying levels, with some requiring physical access (USB) and others being remote (wireless protocols/zero-click). Exploit chains successfully executed on flagship mobile devices, suggesting complex pathways were viable.
- **Attack Vector:** Network, Adjacent, Local, and Physical (via USB).
## Impact
Since these are comprehensive zero-day findings targeting diverse products, the potential impact across the board is high, generally categorized as follows (pending final vendor assessment):
- **Confidentiality:** High (e.g., data extraction, accessing stored data, activation of cameras/mics).
- **Integrity:** High (e.g., modification of device settings, persistence).
- **Availability:** Medium to High (e.g., device crashing or disruption of service).
## Remediation
### Patches
- **Status:** Vendor patching is **pending**. The Zero Day Initiative (ZDI) mandates a **90-day disclosure window** following the contest (which concluded October 23, 2025). Public disclosure of the vulnerabilities is expected after this window unless patches are already released.
- **Specific Patches:** None are publicly available at the time of this summary, as the findings are fresh from the contest.
### Workarounds
- **General Mitigation:** Given the breadth of devices, no universal workaround exists. Users whose specific highly targeted devices (like the S25, major NAS systems) are listed should monitor vendor security advisories immediately.
- **USB Attacks:** For physical USB attacks, physically securing devices or disabling USB accessory modes when not in use might offer temporary protection against those specific vectors.
## Detection
- **Indicators of Compromise:** Unknown for these specific zero-days until technical analysis is complete. General indicators include unexpected network activity, unauthorized application use, or device instability.
- **Detection Methods and Tools:** Organizations should look for signatures related to the exploitation techniques used by the winning teams (Summoning Team, Team ANHTUD, etc.) once vendor advisories are released. Monitoring for anomalous input handling or unusual system calls on affected firmware versions will be key.
## References
- **Vendor Advisories:** None explicitly issued yet, as ZDI coordination is underway.
- **Relevant links - defanged:**
* [bleepingcomputer.com/news/security/hackers-earn-1-024-750-for-73-zero-days-at-pwn2own-ireland/](https://bleepingcomputer.com/news/security/hackers-earn-1-024-750-for-73-zero-days-at-pwn2own-ireland/)
* [bleepingcomputer.com/news/security/hackers-exploit-34-zero-days-on-first-day-of-pwn2own-ireland/](https://bleepingcomputer.com/news/security/hackers-exploit-34-zero-days-on-first-day-of-pwn2own-ireland/)
* [bleepingcomputer.com/news/security/samsung-galaxy-s25-hacked-on-day-two-of-pwn2own-ireland-2025/](https://bleepingcomputer.com/news/security/samsung-galaxy-s25-hacked-on-day-two-of-pwn2own-ireland-2025/)
* [zerodayinitiative.com/blog/2025/10/16/pwn2own-automotive-returns-to-tokyo-with-expanded-chargers-and-more](https://zerodayinitiative.com/blog/2025/10/16/pwn2own-automotive-returns-to-tokyo-with-expanded-chargers-and-more)