Day One of Pwn2Own Ireland 2025 concluded with remarkable success as security researchers demonstrated 34 unique zero-day vulnerabilities across various consumer devices, earning a combined total of $522,500 in a single day.
The prestigious hacking competition, which focuses on finding security flaws in real-world products, saw an unprecedented 100% success rate with no failed attempts throughout the first day.
Teams Dominate Smart Home and NAS Devices
The competition featured 17 exploitation attempts targeting printers, smart home devices, network-attached storage systems, and routers from major manufacturers.
Team DDOS, consisting of Bongeun Koo and Evangelos Daravigkas, emerged as early leaders by chaining eight different vulnerabilities to compromise both a QNAP Qhora-322 router and a QNAP TS-453E storage device, earning an impressive $100,000 and 10 Master of Pwn points for their SOHO Smashup demonstration.
Multiple teams successfully exploited popular smart home devices, including the Philips Hue Bridge, Synology storage systems, and Home Assistant Green.
Sina Kheirkhah from the Summoning Team particularly excelled, participating in multiple successful exploits throughout the day.
His team’s final demonstration against the Synology ActiveProtect Appliance DP320 earned them an additional $50,000, bringing their day-one total significantly higher.
Consumer printers from Canon and HP also fell victim to security researchers.
The Canon imageCLASS MF654Cdw proved especially popular, with four different teams successfully exploiting it using various heap-based and stack-based buffer overflow vulnerabilities.
Team Neodyme demonstrated a stack-based buffer overflow on the HP DeskJet 2855e, earning $20,000 for their efforts.
In one of the more interesting demonstrations, researcher DMDung from STAR Labs used a single out-of-bounds access vulnerability to compromise the Sonos Era 300 smart speaker, earning the highest single-device payout of $50,000 and five Master of Pwn points.
The exploits showcased varied attack methodologies, including buffer overflows, command injections, server-side request forgery attacks, authentication bypasses, and even a format string vulnerability.
Stephen Fewer from Rapid7 exploited three bugs, including an SSRF and command injection, in the Home Assistant Green. At the same time, the DEVCORE Research Team notably employed a format string bug, among other techniques, against the QNAP device.
With two more days of competition remaining and additional high-value targets still on the schedule, the total payout is expected to increase substantially.
All discovered vulnerabilities will be responsibly disclosed to affected manufacturers for patching, improving security for millions of consumer device users worldwide.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership:Â Join Today
%20(1).webp?resize=1600,900&ssl=1&description=The prestigious hacking competition, which focuses on finding security flaws in real-world products, saw an unprecedented 100% success rate with no failed attempts throughout the first day.){kind=link}