On the opening day of the Pwn2Own Ireland 2025 hacking contest, organized by Trend Micro’s Zero Day Initiative (ZDI), researchers had a highly lucrative showing, collectively earning a substantial $522,500. This prize money was awarded for the successful demonstration of 34 previously unknown vulnerabilities, commonly known as zero-days. The exploits targeted a diverse array of consumer and small-office hardware, successfully compromising devices such as network-attached storage (NAS) devices, printers, routers, and various smart home products.
The most significant financial award of the day was $100,000, which was granted in the high-stakes ‘SOHO Smashup’ category. This specific challenge required participants to chain together exploits targeting two different types of devices to achieve a complete compromise. The winning researchers successfully linked vulnerabilities in a QNAP Qhora-322 router with those in a QNAP TS-453E NAS device. This demonstration highlighted the security risks present in connected small-office/home-office environments when multiple device exploits are combined.
Other substantial rewards were distributed for successfully hacking individual products. An impressive $50,000 was earned for exploiting a vulnerability in the Synology ActiveProtect Appliance DP320, a dedicated backup device. The same high-value prize of $50,000 was also paid out to a researcher who managed to compromise a Sonos Era 300 smart speaker. Additionally, other vulnerabilities found in Synology and QNAP NAS products each resulted in a $40,000 payout for the researchers.
The competition also saw several successful compromises against a variety of smart home platforms and peripherals. The popular Home Assistant Green home automation device was targeted, with exploits earning researchers awards of $40,000, $20,000, and $12,500. Similarly, successful compromises of the Phillips Hue Bridge smart lighting hub resulted in payouts of $40,000 and $20,000. Demonstrations against common office equipment, specifically Canon and HP printers, also secured rewards of $20,000 and $10,000 respectively.
The Pwn2Own Ireland 2025 event is scheduled to continue until Thursday, with the potential for even larger payouts on the horizon. A highly anticipated challenge involves a researcher attempting to demonstrate a zero-click remote code execution exploit against the popular messaging application WhatsApp. This specific exploit carries the highest reward available in the contest, a massive $1 million. This year’s contest follows Pwn2Own Ireland 2024, which awarded over $1 million for exploits targeting cameras, printers, NAS devices, smart speakers, and smartphones, setting a high bar for the current year’s security demonstrations.
Reference: