The first day of Pwn2Own Ireland 2025 wrapped up with a bang, as security researchers uncovered 34 unique zero-day vulnerabilities across various smart devices.

Not a single attempt failed, leading to a total payout of $522,500 in prizes. This event, held in Cork, Ireland, from October 21 to 24, brings together top hackers to test the limits of popular gadgets like printers, routers, and smart home systems.

One of the biggest highlights came from Team DDOS, where Bongeun Koo and Evangelos Daravigkas chained eight different bugs, including several injections, to hack the QNAP Qhora-322 router paired with a TS-453E NAS device in a tough “SOHO Smashup” challenge.

Their success netted them $100,000 and 10 Master of Pwn points, putting them high on the leaderboard.

Other impressive feats included Team Neodyme’s stack buffer overflow on the HP DeskJet 2855e printer for $20,000, and Synacktiv’s root-level code execution on the Synology BeeStation Plus via a stack overflow, earning $40,000.

Researchers targeted printers multiple times, with STARLabs using a heap buffer overflow on the Canon imageCLASS MF654Cdw to win $20,000 in the first round.

Later rounds saw SHIMIZU Yutaro from GMO Cybersecurity snag $10,000 with another stack overflow on the same Canon model, while Team PetoWorks exploited a release of an invalid pointer bug for an additional $10,000.

Team ANHTUD closed out the printer attacks with a heap buffer overflow, also earning $10,000. These repeated wins show how vulnerable everyday office printers can be to serious attacks.​

Smart home devices took heavy hits too, with Summoning Team’s Sina Kheirkhah using two bugs to gain code execution on the Synology DiskStation DS925+ for $40,000.

Stephen Fewer from Rapid7 combined three flaws, like a server-side request forgery and command injection, to break into the Home Assistant Green hub, winning $40,000.

Compass Security’s team later used an arbitrary file write and a cleartext data leak on the same device for another $20,000. Meanwhile, dmdung from STAR Labs exploited an out-of-bounds access on the Sonos Era 300 speaker to claim $50,000.​

The Philips Hue Bridge saw intense action, starting with Team ANHTUD’s four-bug chain, including overflows and an out-of-bounds read for $40,000.

Hank Chen from InnoEdge Labs followed with an authentication bypass and out-of-bounds write for $20,000 in the second round. Though Team DDOS withdrew their attempt on this bridge, the competition stayed fierce.​

DEVCORE Research Team impressed with multiple injections and a rare format string bug on the QNAP TS-453E, securing $40,000. Summoning Team ended strong by exploiting two bugs on the Synology ActiveProtect DP320 appliance for $50,000 more.

A partial collision occurred when McCaulay Hudson from Summoning used four bugs on Home Assistant Green, earning $12,500 despite some overlaps.

Overall, 17 attempts filled the day, covering categories like network storage, printers, and surveillance gear.​ Summoning Team leads the Master of Pwn standings with 11.5 points after their $102,500 haul.

Team DDOS sits close behind with 10 points, while several others like Synacktiv and Rapid7 hold 4 points each. These points help decide the top hacker title at the end.

Eyes On Days Two And Three For More Action

Pwn2Own Ireland aims to find flaws before real hackers do, with vendors getting 90 days to patch them after disclosure. The event features up to $2 million in prizes, including a massive $1 million for a zero-click WhatsApp exploit.

Day two shifts to more network storage, printers, smart homes, and a first shot at the Samsung Galaxy S25 smartphone. Last year’s event saw over $1 million awarded for 70 bugs, and this year could top that with new targets like wearables from Meta.

Follow updates on social media from organizers like the Zero Day Initiative for live results. As these zero-days get reported, it strengthens security for everyday users relying on these connected devices.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Exploited 34 Zero-Day Vulnerabilities And Earned $522,500 In Pwn2Own Ireland 2025 appeared first on Cyber Security News.

Google has swiftly addressed a high-severity flaw in its Chrome browser’s V8 JavaScript engine, releasing an emergency update to thwart potential remote code execution attacks.

The vulnerability, tracked as CVE-2025-12036, stems from an inappropriate implementation within V8, the open-source JavaScript and WebAssembly engine powering Chrome’s rendering capabilities.

Discovered and reported internally by Google’s AI-driven security tool, Big Sleep, on October 15, 2025, the issue could allow malicious websites to execute arbitrary code on users’ devices without any interaction beyond visiting a compromised page.

This patch arrives just days after the discovery, underscoring Google’s commitment to rapid response in browser security. The Stable channel update rolls out to version 141.0.7390.122/.123 for Windows and macOS users, and 141.0.7390.122 for Linux.

Over the coming days and weeks, billions of Chrome users worldwide will receive this fix automatically, minimizing exposure. A detailed changelog highlights the security enhancements, though full bug details remain restricted until most users update to prevent exploitation.

Chrome V8 JavaScript Engine Vulnerability

At its core, V8 processes JavaScript code efficiently to enable dynamic web experiences, from interactive maps to online banking interfaces. However, the flaw in CVE-2025-12036 exploits a mishandled implementation that bypasses Chrome’s sandbox protections.

Attackers could craft malicious scripts to read sensitive memory or inject code, potentially leading to data theft, malware installation, or full system compromise. Rated “High” severity, it aligns with past V8 vulnerabilities that have been weaponized in drive-by downloads and phishing campaigns.

Security experts note this isn’t an isolated incident; V8 has been a frequent target due to its central role in web browsing.

Google’s proactive detection via Big Sleep, a machine learning system scanning for anomalies, prevented the bug from reaching stable releases. The company also credits tools like AddressSanitizer and libFuzzer for ongoing fuzzing efforts that catch such issues early.

This update reinforces the importance of timely patching in an era of escalating browser-based threats. With Chrome holding over 65% market share, vulnerabilities here ripple across the internet ecosystem.

Users are urged to enable automatic updates and avoid suspicious sites. Google thanks external researchers for their contributions, emphasizing collaborative defenses against evolving attacks.

As cyber threats grow more sophisticated, incidents like this highlight the need for AI-assisted vigilance in software development.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Chrome V8 JavaScript Engine Vulnerability Let Attackers Execute Remote Code appeared first on Cyber Security News.