Pwn2Own event uncovers 73 zero-days with USD $1 million in prizes

Participants in the recent Pwn2Own event discovered and disclosed 73 unique zero-day vulnerabilities affecting a range of connected devices and technologies.

The vulnerabilities, which were found in systems including printers, network storage devices, smart home equipment, surveillance hardware, home networking technology, flagship smartphones and wearable devices, were recognised by Trend Micro for their significance in addressing rising cyber threats.

The competition in Ireland saw top ethical hackers identify and demonstrate these issues, with their research enabling Trend Micro customers to be protected from zero-day exploits an average of 71 days ahead of the wider cybersecurity industry.

Master of Pwn

Summoning Team was named as the overall winner of the event, securing the title of "Master of Pwn" and receiving a cash prize of USD $187,500.

Prizes totalling USD $1,024,750 were awarded to researchers who successfully demonstrated zero-day exploits across a variety of devices and platforms. The event reportedly featured a prize pool valued at more than USD $2 million.

Mick McCluney, Australia and New Zealand Field Chief Technology Officer at Trend Micro, commented on the impact of the event's findings. He said,

"Our mission is to approach security proactively and gather the deepest threat intelligence in the industry. The 73 zero-day bugs discovered at Pwn2Own will directly help make the digital world a safer place. We're proud to empower vendors to patch these vulnerabilities while offering our customers protection from exploits well ahead of any other cybersecurity provider. As cyber risk continues to rise worldwide, Pwn2Own remains a valuable tool in staying ahead."

Competition highlights

Among the key outcomes, Ben R. and Georgi G. of Interrupt Labs utilised an improper input validation flaw to compromise the Samsung Galaxy S25 smartphone. Their demonstration, which involved gaining access to the device's camera and location tracking functions, resulted in a USD $50,000 prize.

Further research by Ken Gannon and 伊藤 剣 of Mobile Hacking Lab, along with Dimitrios Valsamaras of Summoning Team, employed five distinct bugs to exploit the same Samsung device, an achievement also awarded USD $50,000.

Bongeun Koo and Evangelos Daravigkas from Team DDOS identified eight vulnerabilities, including several injection bugs, to successfully breach both the QNAP Qhora-322 router and QNAP TS-453E NAS. This "SOHO Smashup" resulted in a USD $100,000 prize.

dmdung of STAR Labs SG Pte. Ltd disclosed a single out-of-bounds access vulnerability, which was used to exploit the Sonos Era 300 smart speaker and secure a USD $50,000 award.

Sina Kheirkhah and McCaulay Hudson from Summoning Team were credited for using two vulnerabilities in an attack against the Synology ActiveProtect Appliance DP320.

While Team Z3 opted not to publicly demonstrate a zero-click exploit for WhatsApp, the team shared its findings confidentially with Trend Micro's Zero Day Initiative and Meta with the aim of supporting remediation efforts.

Looking ahead

The next Pwn2Own competition is scheduled to focus on automotive systems and will take place in Tokyo, Japan.

Trend Micro stated that the research conducted at the Pwn2Own event forms a critical part of its broader strategy to deliver advanced threat defences, and supports efforts to reduce the risk of exploits before they can be weaponised by malicious actors.