The world’s most elite ethical hackers have once again descended on Dublin, and for three intense days, no device was safe. Pwn2Own Dublin 2025 has concluded, and the results are in: a staggering $1,024,750 in prize money has been awarded for the discovery of 73 unique zero-day vulnerabilities. This year’s competition saw everything from printers and routers to the brand-new Samsung Galaxy S25 fall to sophisticated, never-before-seen exploit chains.
Organized by Trend Micro’s Zero Day Initiative (ZDI), Pwn2Own is more than just a hacking competition; it’s a critical, real-time stress test of the technology we rely on every day. The vulnerabilities discovered here are responsibly disclosed to the vendors, giving them a chance to build patches before malicious actors can exploit them in the wild. Let’s break down the most impressive hacks and the biggest takeaways from this year’s event.
The Star of the Show: Samsung Galaxy S25 Hacked on Day Two
In what was arguably the most anticipated event, the freshly released Samsung Galaxy S25 was successfully compromised. The team from Interrupt Labs achieved a full takeover of the device, chaining together two separate vulnerabilities: an input validation flaw and a permissions misconfiguration.
This is a significant achievement. Modern mobile devices are incredibly hardened, and successfully compromising them often requires finding and chaining multiple, distinct bugs to bypass layers of security. The Interrupt Labs team’s success demonstrates that even the latest and greatest flagship devices are not impenetrable.
The Reigning Champions: Team Synacktiv Dominates Again
Once again, the French security research team Synacktiv proved why they are a dominant force in the world of offensive security. They left Dublin with a massive $225,000 in prize money after successfully demonstrating a series of complex exploits, including:
- A three-bug chain to achieve code execution on a Ubiquiti wireless access point.
- A sophisticated exploit against a Lexmark printer.
- A successful compromise of a QNAP NAS device.
Their performance was a masterclass in exploit development, showcasing their deep expertise across a wide range of devices and architectures.
The Broad Attack Surface: No Device Was Spared
While the mobile phone hack often grabs the headlines, Pwn2Own Dublin focuses on the vast and often overlooked world of connected devices. This year’s competition saw successful exploits against:
- Wireless Access Points: Devices from TP-Link, Synology, and Ubiquiti were all compromised.
- Printers: High-end office printers from Canon, HP, and Lexmark were successfully hacked.
- Network Attached Storage (NAS): Devices from QNAP and Synology, which are often used to store sensitive personal and business data, were also compromised.
- Smart Speakers: A Sonos speaker was successfully exploited, highlighting the risks in our increasingly connected homes.
- Routers: Routers from TP-Link and Synology were also taken over.
Why Pwn2Own Matters
The sheer number of zero-days discovered—73 in just three days—is a sobering reminder of the complexity of modern software and the ever-present potential for vulnerabilities. Events like Pwn2Own are a critical part of the security ecosystem. They provide a controlled, ethical environment for the world’s best security talent to identify these flaws before they can be used in widespread attacks.
For the vendors involved, it’s a moment of truth. They now have a detailed, actionable list of the critical vulnerabilities they must fix. For the rest of us, it’s a powerful lesson in the importance of timely patching and a defense-in-depth security mindset. The devices we trust every day are not infallible, and the work of these ethical hackers is essential to keeping us all safe.
Congratulations to all the teams who competed, and now, the clock starts ticking for the vendors to deliver the patches.
To further enhance your cloud security and implement Zero Trust, contact me on LinkedIn Profile or [email protected].
Pwn2Own Dublin 2025 FAQ
- What is Pwn2Own? Pwn2Own is one of the world’s most prestigious “hacking” competitions, organized by Trend Micro’s Zero Day Initiative (ZDI). Elite security researchers from around the globe compete to find and exploit previously unknown (“zero-day”) vulnerabilities in a wide range of software and hardware.
- Were the hacks at Pwn2Own real? Yes. The exploits demonstrated are real, working attacks against fully patched, up-to-date devices. This is what makes the competition so challenging and significant.
- What happens to the vulnerabilities after they are discovered? All vulnerabilities are responsibly disclosed to the affected vendors immediately after the competition. The vendors are then given a grace period (typically 90-120 days) to develop and release patches before the technical details of the vulnerabilities are made public.
- Who were the top winners at Pwn2Own Dublin 2025? The French team Synacktiv was once again a top competitor, earning $225,000. Other major winners included teams from Interrupt Labs (who successfully hacked the Samsung Galaxy S25) and DEVCORE.
- How many zero-day vulnerabilities were discovered? A total of 73 unique zero-day vulnerabilities were successfully demonstrated during the three-day event.