A complete of $1,024,750 has been paid out on the Pwn2Own Eire 2025 hacking contest organized by Pattern Micro’s Zero Day Initiative (ZDI), however the occasion has been overshadowed by the last-minute withdrawal of a researcher who was scheduled to show a WhatsApp exploit price $1 million.
The best reward at Pwn2Own Eire 2025, $100,000, was paid out for an exploit chain concentrating on the QNAP Qhora-322 router and the QNAP TS-453E NAS machine.
Two Samsung Galaxy S25 exploit chains have been every rewarded with $50,000, and the identical quantity was earned for vulnerabilities in Synology ActiveProtect Equipment DP320 and the Sonos Period 300 good speaker.
Individuals acquired as much as $40,000 for hacking Ubiquiti cameras, QNAP and Synology NAS gadgets, Lexmark and Canon printers, and good dwelling programs reminiscent of Phillips Hue Bridge, Amazon Sensible Plug, and Dwelling Automation Inexperienced.
A complete of 73 beforehand unknown vulnerabilities have been disclosed at Pwn2Own Eire 2025.
A researcher named Eugene (3ugen3) of Staff Z3 was scheduled to show a $1 million zero-click distant code execution exploit in opposition to WhatsApp on Thursday.
Nonetheless, the demonstration didn’t happen. ZDI initially mentioned there was a delay as a result of “journey issues and delayed flights”, however famous that the researcher would nonetheless submit his exploit. ZDI later introduced that the researcher withdrew from the competitors, citing considerations that the exploit was not sufficiently ready for a public demonstration.
“Staff Z3 has withdrawn their WhatsApp entry from Pwn2Own as they didn’t really feel their analysis was able to publicly show,” mentioned Dustin Childs, head of menace consciousness at ZDI.Commercial. Scroll to proceed studying.
“Nonetheless, Meta stays excited about receiving this analysis. Staff Z3 is disclosing their findings to ZDI analysts to do an preliminary evaluation earlier than handing it over to Meta engineers,” Childs added. “Whereas we’re dissatisfied that we don’t get to publicly present the demo on the Pwn2Own stage, we’re blissful to facilitate the coordinated disclosure to Meta so that they have the chance to deal with points ought to they show legitimate.”
No updates have been shared on ZDI’s evaluation, whether or not any zero-day exploit info has been shared with Meta, and whether or not the social media large paid any bounty for the WhatsApp hack.
The delay, the withdrawal, and the dearth of public disclosure has led to wide-ranging disappointment and hypothesis inside the safety business concerning the technical viability of the purported exploit.
Contacted by SecurityWeek, Eugene, who seems to be from China, described Pwn2Own as an “wonderful occasion”. The researcher mentioned, “We determined to maintain every little thing personal between Meta, ZDI and myself. No feedback,” including that he didn’t need his true id revealed to the general public.
Eugene informed SecurityWeek that he signed an NDA that forestalls him from sharing any particulars.
SecurityWeek has additionally reached out for remark to ZDI and WhatsApp and can replace this text in the event that they reply.
Associated: $4.5 Million Provided in New Cloud Hacking Competitors
Associated: Over $3 Million in Prizes Provided at Pwn2Own Automotive 2026
Associated: VMware Flaws That Earned Hackers $340,000 at Pwn2Own Patched
