Day 2 of Pwn2Own Ireland 2025 featured standout compromises of the Samsung Galaxy S25 and the Philips Hue Bridge, demonstrating zero-day vulnerabilities in flagship mobile devices and widely deployed smart home systems.
With $289,750 awarded for 18 successful exploits, participants demonstrated a mix of novel zero-days and bug collisions across a range of connected products.
Mainstream electronics hacked
Samsung Galaxy S25 was successfully exploited by Ken Gannon of Mobile Hacking Lab and Dimitrios Valsamaras of Summoning Team, using a five-bug exploit chain. The team earned $50,000 and 5 Master of Pwn points, delivering one of the day’s most complex and valuable demonstrations.
In contrast, a solo attempt by Tri Dang of Qrious Secure to compromise the same device was unsuccessful, highlighting the difficulty of reliably exploiting modern mobile operating systems within contest constraints.
ZDI
The Philips Hue Bridge, a popular smart lighting hub used in millions of homes and offices, was hit repeatedly by multiple teams. While some attempts overlapped with previously disclosed bugs, others revealed fresh vulnerabilities:
- Qrious Secure researchers Ho Xuan Ninh and Hoang Hai Long exploited five bugs, three of them unique, earning $16,000 and 3.75 points.
- Synacktiv’s Mehdi & Matthieu leveraged a unique buffer overflow to successfully exploit the Hue Bridge, netting $20,000 and 4 points.
- Other participants, including the PHP Hooligans and Rafal Goryl of PixiePoint Security, also broke the device, but due to previously known vulnerabilities, their scores were reduced by collision penalties.
Team Neodyme exploited the Amazon Smart Plug using three unique bugs, earning $20,000 and 2 points, reflecting ongoing weaknesses in consumer-grade smart devices tied to cloud ecosystems.
Other high-profile exploits
Chumy Tsai of CyCraft Technology successfully exploited the QNAP TS-453E NAS using a code injection flaw, earning $20,000 and 4 points. QNAP devices are commonly used by small businesses and prosumers for storage and backup, making them attractive targets.
Verichains Cyber Force researchers Le Trong Phuc and Cao Ngoc Quy chained an authentication bypass and a second unique bug to achieve root-level code execution on the Synology DS925+, earning another $20,000 and 4 points. Meanwhile, Summoning Team exploited a known bug in the Synology CC400W camera, earning a reduced payout of $15,000 and 1.5 points due to a vendor collision.
The Home Assistant Green, a privacy-focused home automation hub, was attacked multiple times:
- Viettel Cyber Security earned $12,500 and 2.75 points for a unique command injection and overlapping bugs.
- Team ANHTUD, with help from ChatGPT, chained a unique SSRF, a cleartext credentials flaw, and one collision to earn $16,750 and 3.75 points, finishing with just 45 seconds remaining.
- Team Neodyme also returned to exploit the same platform, earning $15,000 and 3 points with another partially unique submission.
The Canon imageCLASS MF654Cdw, a color laser printer common in office environments, was exploited twice with different memory corruption bugs by PHP Hooligans and TwinkleStar03 (from the DEVCORE Intern Program), each earning $10,000 and 2 points.
With one day left in the Pwn2Own Ireland contest, hacking teams are preparing for tomorrow’s heavy schedule, which includes more attempts against products from Samsung, Philips, Amazon, Lexmark, Canon, and QNAP.
Leave a Reply