Full Report
Security researchers collected $792,750 in cash after exploiting 56 unique zero-day vulnerabilities during the second day of the Pwn2Own Ireland 2025 hacking competition. [...]
Analysis Summary
# Vulnerability: Zero-Day Exploits Demonstrated at Pwn2Own Ireland 2025
## CVE Details
- CVE ID: **Not specified in the article.** (These are zero-days discovered during the contest, official CVE assignment follows disclosure.)
- CVSS Score: **Not specified in the article.**
- CWE: **Not specified in the article.**
## Affected Systems
- Products: Samsung Galaxy S25, QNAP TS-453E NAS, Synology DS925+, Phillips Hue Bridge, Canon imageCLASS MF654Cdw printer, Home Automation Green, Synology CC400W camera, Amazon Smart plug, Lexmark CX532adwe printer.
- Versions: **Vulnerable versions are not specified.** The devices targeted were assumed to be running their current pre-release or in-market software/firmware during the competition.
- Configurations: Exploits were demonstrated via various vector chains (including potential wireless, local, and physical USB attack vectors on mobile devices).
## Vulnerability Description
During the second day of Pwn2Own Ireland 2025, security researchers successfully demonstrated 56 unique zero-day vulnerabilities across consumer electronics, networking gear, and smart home devices. Highlights included a complex chain of five flaws used to compromise the Samsung Galaxy S25, and vulnerabilities in QNAP NAS devices and various printers. The specific technical details of each of the 56 flaws are confidential pending vendor patching.
## Exploitation
- Status: **Demonstrated successful exploitation in a controlled competition environment (Vendor disclosure phase).**
- Complexity: Varies, demonstrated exploitation ranged from single-second compromises (QNAP) to multi-step chains (Samsung S25).
- Attack Vector: Network, Adjacent, Local, and Physical (USB exploitation attempted/successful on mobile).
## Impact
**Impact assessment is generalized as the specific flaws were not detailed.**
- Confidentiality: High (Implied by successful device takeover)
- Integrity: High (Implied by successful device takeover)
- Availability: Medium to High (Depending on the flaw, device denial of service or full compromise possible)
## Remediation
### Patches
- **Patches are not yet publicly available.** The Zero Day Initiative (ZDI) provides vendors a 90-day window to develop and release patches before public disclosure of the vulnerability details.
### Workarounds
- **No specific workarounds are available** until vendors release security advisories with mitigation steps following initial patch development.
## Detection
- **Indicators of Compromise (IOCs):** Unknown, as the vulnerabilities are zero-days and specific conditions are not public.
- **Detection methods and tools:** Detection would rely on vendor advisories once disclosures occur. General proactive defense includes maintaining network segmentation and strictly monitoring for unexpected access or behavior on targeted devices (NAS, printers, IoT).
## References
- Vendor advisories: Awaiting vendor advisories and official CVE assignments from ZDI disclosure.
- Relevant links:
- Pwn2Own Ireland 2025 Schedule (Zeroday Initiative Blog): hXXps://zerodayinitiative.com/blog/2025/10/16/pwn2own-ireland-2025-the-full-schedule
- Previous competition reports (for context): hXXps://www.bleepingcomputer.com/news/security/over-70-zero-day-flaws-get-hackers-1-million-at-pwn2own-ireland/