Hackers exploit 34 zero-days on first day of Pwn2Own Ireland – Against Invaders – Notícias de CyberSecurity para humanos.

Picus Blue Report 2025

On the first day of Pwn2Own Ireland 2025, security researchers exploited 34 unique zero-days and collected $522,500 in cash awards.

The highlight of the day was Bongeun Koo and Evangelos Daravigkas of Team DDOS chainingeight zero-day flaws to hack the QNAP Qhora-322 Ethernet wireless router via the WAN interface and gain accessto a QNAP TS-453E NAS device. For this successful attempt, they won $100,000 and are now in second place on the Master of Pwn leaderboard with 8 points.

Synacktiv Team, Sina Kheirkhah of the Summoning Team, the DEVCORE Team, and Stephen Fewer of Rapid7 have also earned $40,000 each after gaining root on the Synology BeeStation Plus, the Synology DiskStation DS925+, the QNAP TS-453E, and the Home Assistant Green, respectively.

STARLabs, Team PetoWorks, Team ANHTUD, and Ierae researchers hacked the Canon imageCLASS MF654Cdw multifunction laser printer four times, while STARLabs also hacked the Sonos Era 300 smart speaker to earn $50,000, and Team ANHTUD exploited the Phillips Hue Bridge to collect $40,000 in cash.

Sina Kheirkhah and McCaulay Hudson of the Summoning Team have used an exploit chain combining two zero-days to gain root on a Synology ActiveProtect Appliance DP320 and win another $50,000.

Summoning Team won a total of $102,500 during the first day of the competition and is at the top of the Master of Pwn leaderboard with 11.5 points.

The Zero Day Initiative (ZDI) organizes the event to identify security vulnerabilities in targeted devices before threat actors can exploit them, coordinating responsible disclosure with the affected vendors.After the zero-day flaws are exploited during Pwn2Own events, vendors are given 90 days to release security updates before Trend Micro’s Zero Day Initiative publicly discloses them.

Team DDOS SOSHO Smashupfeatures eight categories targeting flagship smartphones (Apple iPhone 16, Samsung Galaxy S25, and Google Pixel 9), messaging apps, smart home devices, printers, home networking equipment, network storage systems, surveillance equipment, and wearable technology (including Meta”s Ray-Ban Smart Glasses and Quest 3/3S headsets).

This year, the ZDI also expanded the attack vectors for the mobile category to include USB port exploitation for mobile handsets, which requires competitors to hack into locked phones through physical connections. However, traditional wireless protocols such as Bluetooth, Wi-Fi, and near-field communication (NFC) remain valid attack vectors.

On the second day, security researchers will again target devices in the network-attached storage, printers, smart home, and surveillance systems categories, as well as the Samsung Galaxy S25 in the mobile phones category.

As announced in August, this is also the first time ZDI will offer a $1 million reward to security researchers who demo a zero-click WhatsApp exploit that allows code execution without user interaction.

Meta, alongside QNAP and Synology, is co-sponsoring the Pwn2Own Ireland 2025 hacking contest, which takes place from October 21 to October 24 in Cork, Ireland.

During last year’s Pwn2Own Ireland event, security researchers earned $1,078,750 for more than 70 zero-day vulnerabilities, with Viettel Cyber Security collecting $205,000 for QNAP, Sonos, and Lexmark bugs.

In January 2026, the ZDI will return to the Automotive World technology show in Tokyo for its third Pwn2Own Automotive contest, with Tesla returning as a sponsor.


Picus Blue Report 2025

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.