Fast Facts

• Hackers earned $1,024,750 for uncovering 73 zero-day vulnerabilities at Pwn2Own Ireland 2025.
• Targeted devices ranged from flagship smartphones to smart glasses and home networking gear.
• Summoning Team led the pack, raking in $187,500 and hacking multiple high-profile targets.
• The event introduced physical USB exploits on locked mobile devices, expanding the attack surface.
• Vendors have 90 days to patch these flaws before public disclosure by Trend Micro's Zero Day Initiative.

The Cork Codebreakers’ Carnival

Imagine a digital gladiator arena: in Cork, Ireland, security researchers gathered for Pwn2Own 2025, not to destroy, but to defend the digital world by attacking it first. Armed with laptops, logic, and legal permission, they cracked open 73 previously unknown vulnerabilities - so-called “zero-days” - in devices that millions trust every day. Their reward? Fame, impact, and a share of over $1 million in cash.

Pwn2Own, now a global fixture since its 2007 debut, flips the hacker stereotype on its head. Here, the world’s best “white hats” (ethical hackers) duel not for profit, but for progress. This year, the contest’s sponsors - Meta, QNAP, and Synology - put everything from Apple’s latest iPhone 16 to Meta’s Ray-Ban smart glasses and home routers on the digital chopping block. Even locked smartphones, long considered fortresses, had their USB ports tested for hidden weaknesses.

Zero-Days: The Hidden Fault Lines

Zero-day vulnerabilities are like secret trapdoors: flaws that no one - except the finder - knows about, making them especially valuable for both defenders and criminals. At Pwn2Own Ireland, hackers exposed 34 zero-days on day one alone, including a dramatic breach of the Samsung Galaxy S25 that let attackers activate the phone’s camera and location tracking without the owner’s knowledge.

While some teams chased glory and big bounties (one WhatsApp exploit was valued at $1 million), others, like Team Z3, chose a quieter path - disclosing their findings privately to the organizers and Meta. This responsible disclosure model, coordinated by Trend Micro’s Zero Day Initiative, ensures that vendors are alerted and given 90 days to patch the flaws before any public reveal, reducing the risk to everyday users.

Why It Matters: The Stakes Beyond the Prize Money

The Pwn2Own model isn’t just a spectacle; it’s a vital pressure release valve for the software world. By incentivizing ethical hackers, it helps ensure that critical bugs are fixed before cybercriminals can exploit them for espionage, ransomware, or sabotage. The contest’s expansion into USB-based attacks mirrors real-world trends, as attackers increasingly look for physical access points to bypass digital defenses.

Past Pwn2Own events have led to rapid fixes in browsers, operating systems, and even cars - reminding us that as technology spreads, so do its vulnerabilities. With the next event set for Tokyo’s Automotive World, even our vehicles will be put to the test. In a world where every device is a potential gateway, the million-dollar bug hunt isn’t just a contest - it’s a frontline in the ongoing battle for digital trust.

WIKICROOK

• Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.
• Responsible disclosure: Responsible Disclosure is when security flaws are privately reported to vendors, allowing them to fix issues before the information is made public.
• Master of Pwn points: Master of Pwn points are awarded at Pwn2Own for successful exploits and are used to rank participants in the competition.
• USB exploitation: USB exploitation is hacking a device via its USB port by exploiting hidden flaws, sometimes even when the device is locked or secured.
• Remote code execution: Remote code execution lets attackers run commands on your computer from a distance, often leading to full system compromise and data theft.