Full Report
On the first day of Pwn2Own Ireland 2025, security researchers exploited 34 unique zero-days and collected $522,500 in cash awards. [...]
Analysis Summary
# Vulnerability: Pwn2Own Ireland 2025 Zero-Day Exploits Summary
## CVE Details
- CVE ID: N/A (This article describes multiple zero-day vulnerabilities demonstrated at a competition, specific CVEs are not assigned in the text.)
- CVSS Score: N/A (Scores are not provided for the individual exploits.)
- CWE: N/A (Specific weaknesses are not detailed.)
## Affected Systems
- Products: QNAP Qhora-322 Ethernet wireless router, QNAP TS-453E NAS device, Synology BeeStation Plus, Synology DiskStation DS925+, Home Assistant Green, Canon imageCLASS MF654Cdw multifunction laser printer, Sonos Era 300 smart speaker, Phillips Hue Bridge, Synology ActiveProtect Appliance DP320, Apple iPhone 16 (Targeted), Samsung Galaxy S25 (Targeted), Google Pixel 9 (Targeted), WhatsApp (Targeted for zero-click RCE).
- Versions: Not specified for the successfully exploited vulnerabilities.
- Configurations: Exploits targeted devices connected via WAN interface (for QNAP chain), and potentially zero-click (for WhatsApp). Physical USB connection exploitation was introduced as a new vector for mobile handsets.
## Vulnerability Description
During the first day of Pwn2Own Ireland 2025, security researchers successfully demonstrated the exploitation of 34 unique zero-day vulnerabilities across various connected devices, including NAS systems, routers, smart home components, and printers. Key demonstrations involved chaining multiple (up to eight) zero-days to achieve remote code execution or root access on devices supplied by QNAP and Synology.
## Exploitation
- Status: Exploited in the wild (within the context of the competition, demonstrating immediate real-world exploitability).
- Complexity: Varied; the most successful chain required combining eight zero-days. Other demonstrations showed feasibility through simple chains (two zero-days) or zero-click mechanisms (WhatsApp target).
- Attack Vector: Network (WAN interaction demonstrated), Adjacent (via USB for mobile phones), and potentially Wireless (Wi-Fi, Bluetooth, NFC).
## Impact
The impact varies based on the specific exploit, but successful demonstrations resulted in gaining **Root Access** or system compromise on targeted devices (NAS, routers, printers, smart home hubs).
- Confidentiality: High (Full system compromise allows data access).
- Integrity: High (Ability to alter system configurations and data).
- Availability: Medium to High (System takeover/Denial of service potential).
## Remediation
### Patches
- Vendors (QNAP, Synology, Canon, Sonos, Phillips, Meta/WhatsApp, etc.) were given 90 days following the event (October 2025) to release patches before public disclosure by the ZDI. **No specific patches are currently available** based on this summary.
### Workarounds
- Given the nature of these zero-days, no specific workarounds are provided in this summary. General advice would be to monitor vendor advisories or isolate high-risk devices if possible until patches are released.
## Detection
- Indicators of Compromise (IoCs): None are detailed, as these are newly discovered zero-days.
- Detection methods and tools: Since the goal of Pwn2Own is to find flaws before they are weaponized, detection relies on timely integration of vendor-supplied security updates or application of network monitoring for anomalous activity suggestive of compromise (e.g., unexpected outbound communication or privilege escalation attempts).
## References
- Vendor advisories: Vendors are coordinating disclosure with the Zero Day Initiative (ZDI).
- Relevant links:
- ZDI Pwn2Own Ireland 2025 Schedule: hxxps://www.zerodayinitiative.com/blog/2025/10/16/pwn2own-automotive-returns-to-tokyo-with-expanded-chargers-and-more
- ZDI Blog mentioning Day 2 schedule: hxxps://www.zerodayinitiative.com/blog/2025/20/pwn2own-ireland-2025-the-full-schedule#text=Wednesday%2C%20October%2022%20%E2%80%93%200930