Amazon Web Services experienced a major outage that affected millions of customers and Amazon’s own operations on October 19 and 20, 2025. The company has now confirmed that a DNS resolution issue with regional DynamoDB service endpoints was the root cause of the disruption, which lasted approximately two hours and thirty-five minutes. What Went Wrong […]
After months of disruption following Operation Cronos in early 2024, the notorious LockBit ransomware group has resurfaced with renewed vigor and a formidable new arsenal. In September 2025 alone, researchers identified a dozen organizations targeted by the revived operation. Particularly alarming is the rapid adoption of the new LockBit 5.0 variant, which accounted for half […]
Security researchers at Doctor Web have uncovered a sophisticated Android backdoor disguised as Telegram X that grants cybercriminals complete control over victims’ accounts and devices. The malware, identified as Android.Backdoor.Baohuo.1.origin, has already infected more than 58,000 devices worldwide, with approximately 20,000 active infections currently being monitored. This threat represents a significant escalation in mobile malware […]
At Pwn2Own Ireland 2025 hacking competition, cybersecurity researchers from Team Z3 have withdrawn their high-stakes demonstration of a potential zero-click remote code execution (RCE) vulnerability in WhatsApp, opting instead for a private coordinated disclosure to Meta.
The event, held in Cork, Ireland, from October 21-23, featured a record-breaking $1 million bounty for such a WhatsApp exploit, drawing global attention to the platform’s security amid its three billion users.
The withdrawal disappointed on-site spectators and fellow competitors, as the exploit was poised to be the contest’s crown jewel, potentially earning Team Z3 the largest single payout in Pwn2Own history.
According to the Zero Day Initiative (ZDI), the event organizers, Team Z3 felt their research was not ready for a live public display.
Despite the no-show, ZDI emphasized the positive outcome, noting that initial assessments by their analysts will precede handover to Meta engineers, ensuring a structured response to any validated flaws.
Meta, WhatsApp’s parent company and a co-sponsor of Pwn2Own Ireland alongside Synology and QNAP, expressed continued interest in the findings, underscoring their commitment to bolstering the app’s defenses against sophisticated threats like zero-click attacks.
These exploits, which require no user interaction, have been weaponized in past spyware campaigns targeting high-profile individuals.
By facilitating this private channel, ZDI aims to give Meta ample time up to 90 days post-event to patch issues before public revelation, aligning with ethical hacking norms.
The episode highlights the evolving landscape of bug bounties and coordinated disclosures in cybersecurity.
While Pwn2Own Ireland ultimately awarded $1,024,750 for 73 unique zero-days across devices like the Samsung Galaxy S25 and various printers, the WhatsApp saga reminds vendors of the hidden risks in ubiquitous apps.
No details on the vulnerability’s specifics, such as affected versions or CVE assignment, have surfaced yet, but experts anticipate Meta will address it swiftly to mitigate potential real-world exploitation.
As the dust settles, Team Z3’s decision prioritizes responsible revelation over spectacle, potentially averting widespread harm. The cybersecurity community watches closely, awaiting Meta’s response and any patches in upcoming security advisories.
A major cybersecurity investigation has uncovered a sophisticated criminal operation called Vault Viper that exploits online gambling platforms to distribute a malicious custom browser with remote access capabilities. The threat actor, linked to the Baoying Group and connected to the Suncity Group—a major Asian crime syndicate—has created an unprecedented infrastructure combining iGaming software distribution with […]
Google’s Threat Intelligence Group (GTIG) has uncovered a sophisticated social engineering campaign orchestrated by financially motivated threat actors based in Vietnam. The ultimate objective is to compromise corporate advertising accounts and steal valuable credentials for resale or direct monetization. The threat cluster specifically targets remote workers in digital advertising roles, focusing on individuals with contract […]
Proofpoint has released a new open-source tool called PDF Object Hashing that helps security teams detect and track malicious files distributed as PDFs. The tool is now available on GitHub and represents a significant advancement in identifying suspicious documents used by threat actors in phishing campaigns, malware distribution, and business email compromise attacks. PDFs have […]
Gamers face a growing threat from cybercriminals exploiting popular gaming and communication platforms. A dangerous infostealer called RedTiger is now actively circulating in the wild, specifically designed to steal Discord credentials, gaming accounts, and sensitive financial information from unsuspecting players worldwide. Security researchers have identified multiple variants of the malware already targeting victims, with evidence […]
Security researchers have uncovered a sophisticated cyberattack campaign that exploited publicly exposed ASP.NET machine keys to compromise hundreds of Internet Information Services (IIS) servers worldwide. The operation, detected in late August and early September 2025, deployed a previously undocumented malicious module dubbed “HijackServer” that transforms legitimate web servers into tools for search engine manipulation while […]
The hacking community celebrated the end of Pwn2Own Ireland 2025. Researchers demonstrated their skills by identifying 73 unique zero-day vulnerabilities across different devices.
The event, hosted by the Zero Day Initiative (ZDI), distributed a staggering $1,024,750 in prizes, highlighting the growing sophistication of cybersecurity threats and defenses.
Over three days, 56 bugs were rewarded before the final stretch, with competitors pushing the limits on smart home gadgets, printers, and mobile devices.
This year’s contest rewarded innovation and encouraged collaboration among vendors. Companies like Meta, Synology, and QNAP supported the event.
The final day kicked off with high anticipation, as 17 attempts remained. Teams tackled everything from network-attached storage to surveillance cameras, often chaining multiple vulnerabilities for maximum impact.
$1,024,750 – 73 unique bugs – a week of amazing research on display. #Pwn2Own Ireland had it all. Success. Failure. Intrigue. You name it. Congratulations to the Master of Pwn winners @SummoningTeam! Their outstanding work earned them $187,500 and 22 point. See you in Tokyo for… pic.twitter.com/Vxd5b0yJ55
Standout performances included creative demos, such as loading the classic game Doom onto a compromised printer’s LCD screen, a nod to hackers’ flair for the dramatic.
Standout Wins And Creative Hacks Steal The Show
Chris Anastasio of Team Cluck earned $20,000 and 2 Master of Pwn points by exploiting a type confusion vulnerability in the Lexmark CX532adwe printer, granting full control over the device.
Confirmed! Chris Anastasio of Team Cluck used a single type confusion bug to exploit the Lexmark CX532adwe printer. He earns himself $20,000 and 2 Master of Pwn points. #Pwn2Ownpic.twitter.com/ZsvnexVhQo
Ben R. and Georgi G. from Interrupt Labs earned $50,000 for finding a flaw in the Samsung Galaxy S25. This flaw allowed the camera and location tracking to turn on without the user’s consent. This serves as a reminder of the privacy risks in modern smartphones.
Another big confirmation! Ben R. And Georgi G. of Interrupt Labs used an improper input validation bug to take over the Samsung Galaxy S25 – enabling the camera and location tracking in the process. They earn $50,000 and 5 Master of Pwn points. #Pwn2Ownpic.twitter.com/oNhdefPR7k
In the smart home arena, Xilokar combined four bugs, including an authentication bypass and underflow, to pwn the Philips Hue Bridge, securing $17,500 despite a partial collision with prior entries.
Similarly, Sina Kheirkhah of the Summoning Team used hard-coded credentials and an injection attack to take over a QNAP TS-453E NAS device, walking away with $20,000 and 4 points.
David Berard from Synacktiv impressed with a dual-bug attack on the Ubiquiti AI Pro surveillance camera, complete with a playful “Baby Shark” tune on the hacked system, earning $30,000 and 3 points.
Eyes wide shut! David Berard of @Synacktiv just breached the @Ubiquiti AI Pro surveillance system at #Pwn2Own. He also serenaded us with round of "Baby Shark" played through the speaker. He's off to the disclosure room with an ear worm and the details.
Namnp from Viettel Cyber Security chained a crypto bypass and heap overflow to exploit another Philips Hue Bridge, boosting their Master of Pwn ranking into the top five with $20,000.
Interrupt Labs also shone in the printer category, using path traversal and untrusted search path bugs on the Lexmark CX532adwe for a reverse shell and that unforgettable Doom demo, claiming $10,000.
Another big confirmation! Ben R. And Georgi G. of Interrupt Labs used an improper input validation bug to take over the Samsung Galaxy S25 – enabling the camera and location tracking in the process. They earn $50,000 and 5 Master of Pwn points. #Pwn2Ownpic.twitter.com/oNhdefPR7k
Collisions tempered some victories; for instance, Team Viettel’s heap-based buffer overflow on the Lexmark was unique but paired with a duplicate, still yielding $7,500.
The Thalium team from Thales Group faced similar hurdles on the Philips Hue Bridge, earning $13,500 for their novel heap overflow amid repeats.
Challenges, Withdrawals, And The Master Of Pwn Crown
Not every attempt succeeded. Daniel Frederic and Julien Cohen-Scali from Fuzzinglabs failed to fully exploit a QNAP TS-453E within the time limit, as did Frisk and Opcode from Inequation Group on the Meta Quest 3S VR headset. They achieved a denial-of-service, but fell short of code execution.
Withdrawals included CyCraft Technology’s Amazon Smart Plug attempt and Team Z3’s WhatsApp entry, reflecting the high stakes and preparation involved.
Their victories, including Kheirkhah’s QNAP hack, underscored the value of diverse skills in vulnerability research. ZDI praised all participants for advancing security, noting the event’s role in responsibly disclosing flaws to vendors.
Summary of Vulnerabilities Exploited
Researcher/Team
Target Device
Vulnerabilities Exploited
Prize
Master of Pwn Points
Notes
Xilokar (@Xilokar)
Philips Hue Bridge
Authentication bypass, underflow (plus two others)
$17,500
3.5
Partial collision
Chris Anastasio (Team Cluck)
Lexmark CX532adwe Printer
Type confusion
$20,000
2
Full success
Ben R. and Georgi G. (Interrupt Labs)
Samsung Galaxy S25
Improper input validation
$50,000
5
Enabled camera and location tracking
Yannik Marchand (kinnay)
Philips Hue Bridge
Incorrect Implementation of Authentication Algorithm (plus two others)
$13,500
2.75
Partial collision
David Berard (Synacktiv)
Ubiquiti AI Pro (Surveillance)
Pair of bugs (unspecified)
$30,000
3
Included “Baby Shark” demo
Sina Kheirkhah (@SinSinology, Summoning Team)
QNAP TS-453E
Hard-coded credentials, injection
$20,000
4
Full success
Team Viettel
Lexmark CX532adwe Printer
Heap-based buffer overflow (plus one other)
$7,500
1.5
Partial collision
Team @Neodyme
Canon imageCLASS MF654Cdw
Integer overflow
$10,000
2
Full success
Interrupt Labs
Lexmark CX532adwe Printer
Path traversal, untrusted search path
$10,000
2
Reverse shell and Doom demo
Thalium Team (Thales Group)
Philips Hue Bridge
Heap-based buffer overflow (plus two others)
$13,500
2.75
Partial collision
namnp (Viettel Cyber Security)
Philips Hue Bridge
Crypto bypass, heap overflow
$20,000
4
Full success
Looking ahead, the next challenge awaits at Pwn2Own Automotive in Tokyo from January 21-23, 2026, expanding to include EV chargers and more.
Hackers are finding new vulnerabilities all the time. Events like this are important for strengthening digital security around the world.
Eyes wide shut! David Berard of 