Trend Micro’s Zero Day Initiative has announced Pwn2Own Ireland 2025, a premier cybersecurity competition offering an unprecedented USD 1,000,000 prize for zero-click WhatsApp exploits leading to remote code execution.
The event, scheduled for October 21-24, 2025, in Cork, Ireland, represents a significant escalation in cybersecurity research incentives, with Meta Platforms serving as co-sponsor alongside returning partners Synology and QNAP Systems.
Meta Partnership Drives Record-Breaking Bounties
The collaboration with Meta has transformed the messaging category into the event’s flagship attraction, featuring the largest single prize in Pwn2Own history.
The competition targets WhatsApp’s consumer and business clients across multiple platforms, including Samsung Galaxy S25, Google Pixel 9, Apple iPhone 16, and various desktop implementations.
Zero-click exploits require no user interaction beyond viewing a conversation thread, while one-click variants may involve multiple taps constituting a single logical action.
The messaging category extends beyond traditional remote code execution (RCE) to include specialized attack vectors such as remote zero-click account takeover ($150,000 USD), unauthorized microphone or video feed access ($130,000 USD), and zero-click user impersonation ($50,000 USD).
Technical requirements mandate that exploits target vulnerabilities within WhatsApp’s application address space, including platform-dependent code loaded into the application’s memory space.
Expanded Attack Surface and Technical Challenges
The competition introduces eight distinct categories, each presenting unique technical challenges for security researchers.
The mobile phone category now includes USB-based attack vectors targeting the exposed user port while the device remains locked, requiring either arbitrary code execution or device unlock with unrestricted session access.
Remote vectors must exploit NFC, Wi-Fi, Bluetooth, or Baseband protocols through the default browser.
The Small Office/Home Office (SOHO) Smash-up category demands a sophisticated two-stage attack: initial WAN-side or RF-based compromise of routers including QNAP Qhora-322, MikroTik RB4011iGS+5HacQ2HnD-IN, and Ubiquiti UniFi Dream Machine Pro, followed by lateral movement to compromise internal devices within the contest network.
Successful completion requires arbitrary code execution on both targets within a 30-minute window, earning $100,000 and 10 Master of Pwn points.
Competition Structure and Technical Requirements
Contestants must demonstrate exploits that defeat modern security mechanisms, including Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and application sandboxing.
Full sandbox escape is mandatory unless category-specific exceptions apply.
Each attempt is limited to three 10-minute windows within a 30-minute total timeframe, with exploits required to be fully automated and launched via a single command execution.
Registration closes at 5:00 PM Irish Standard Time on October 16, 2025, with participant order determined by random drawing.
Successful demonstrations require immediate provision of functional exploits, comprehensive whitepapers, and associated artifacts, including packet captures (PCAP) for vulnerability disclosure to affected vendors.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
.webp?resize=1600,900&ssl=1&description=The event, scheduled for October 21-24, 2025, in Cork, Ireland, represents a significant escalation in cybersecurity research incentives,){kind=link}