Pwn2Own Returns to Ireland with a One Million Dollar WhatsApp Target

If you just want to read the rules, you can find them here.

Last year, we moved our consumer-focused Pwn2Own event to our offices in Cork, Ireland, and the event could not have gone better. Despite some dreary Irish skies, much fun was had as researchers from around the world demonstrated their best exploits – and we were reminded that electricity works a little differently in Europe. With that in mind, we’re excited to return to Cork this fall for yet another great Pwn2Own event. We’ll also be returning to some of the great pubs Ireland has to offer in the evenings and wrapping the event up at the historic Cork City Goal.

As you might have guessed from the title, we’re excited to announce that Meta is co-sponsoring this year’s event, and they are hoping to see some great WhatsApp exploits. They are so excited for it, we’re putting up $1,000,000 for a 0-click WhatsApp bug that leads to code execution. We also will have lesser cash awards for other WhatsApp exploits, so be sure to check out the Messaging section for full details. We introduced this category last year, but no one attempted it. Perhaps a number with two commas will provide the needed motivation. We’re also happy to announce the return of Synology and QNAP as co-sponsors of the event. They were amazingly helpful in the setup and configuration of devices last year, and we’re happy to be working with them again.

As for the contest itself, it will run from October 21-24, 2025. As always, the SOHO Smashup category returns, but there are a few tweaks this year that should make it more challenging. We’ve also tweaked the mobile category a bit by adding a new USB attack vector for the phones. Hopefully, we’ll see some interesting research come in demonstrating what could happen if a threat actor has physical access to your device. Last year, we awarded $1,066,625 USD for over 70 unique 0-day vulnerabilities at the contest. We can’t wait to see if 2025 tops that number – especially with a million dollar bounty on the table.

As always, we’ll have a random drawing to determine the schedule of attempts on the first day of the contest, and we will proceed from there. Registration closes at 5:00 p.m. Irish Standard Time on Oct 16th, 2025. There are no exceptions for late entries, so if you have questions, please contact us at pwn2own@trendmicro.com (note the address). We will be happy to address your issues or concerns directly.

Now on to the specific target categories. We’ll have eight different categories for this year’s event:

 Back in Amsterdam, where this contest originated, it was originally dubbed “Mobile Pwn2Own” and our focus was strictly on phones. Mobile handsets remain at the heart of this event, and some of the Samsung entries from last year were absolutely smashing. As always, these phones will be running the latest version of their respective operating systems with all available updates installed.

This year, we’re introducing the USB port as an attack vector. The exploits must attack only the USB port exposed to the end user. The target handset will be locked at the start of the attempt. And forget about using fake masks or wonky fingerprints – those attacks are out of scope. Be sure to check out the rules for full details.

Otherwise, contestants must compromise the device by browsing to content in the default browser for the target under test or by communicating with the following short-distance protocols: near field communication (NFC), Wi-Fi, Bluetooth, or Baseband. The awards for this category are:

My first Pwn2Own experience was in 2009, where just $20,000 was awarded. How times change. WhatsApp is used by more than three billion people globally, and some of the messages transmitted can be quite sensitive. That’s one reason why it’s such a target for a certain sector of threat actors. We offered $300,000 for a 0-click exploit last year, but it appears that didn’t quite meet the “bugs to exploit” equation. Thanks to our partnership with Meta, we’ve increased that number substantially. We’re also introducing other-than-code execution bugs as prize winners. Since this is a big change and the award amounts are substantial, please contact us with questions prior to the contest so we can clear up any issues or misconceptions. Different phones and operating systems may be used for the targets. Check out the rules for the full list. Here’s the full prize list for Messaging category:

The proliferation of WFH resulted in many enterprises finding their network perimeter relocated to the home office. Threat actors exploiting home routers and consumer devices can use these as a launch point for lateral movements into enterprise resources. We wanted to demonstrate this during the contest, which means the SOHO Smashup category continues to be relevant. You’ll notice this year’s list of eligible devices is quite smaller (and hopefully more complex) than last year’s. We really want to up the difficulty level and really challenge researchers to bring their very best to the contest. If they get both devices within 30 minutes, they earn $100,000 and 10 Master of Pwn points.

Technically, this is a new category for this year, but it’s really just combining a couple of other categories we previously had. An attempt in this category must be launched against the target’s exposed network services, RF attack surface, or exposed features from the contestant’s laptop within the contest network.

Printers have long been the source of jokes and memes, but they are also an often overlooked attack surface in your office. The printer category always produces some interesting results, often by playing music it shouldn’t or the occasional Rick Roll. Brother also joins this year’s event as a new target. It will be interesting to see what exploits (and flair) the contestants come up with this year.

NAS devices make their return to Pwn2Own. This year, QNAP enters as a target alongside the returning Synology devices. An attempt in this category must be launched against the target’s exposed network services, RF attack surface, or from the contestant’s laptop within the contest network. For the Synology DiskStation target, we’ll have several packages enabled and in scope. These packages are as follows:

·      Synology MailPlus Server
·      Synology Drive Server
·      Virtual Machine Manager
·      Snapshot Replication
·      Surveillance Station
·      Synology Photos
·      Synology Office
·      Synology AI Console

Here’s the full table of targets in the NAS category for 2025:

We’ve moved beyond just wireless cameras and decided to consolidate them into the Surveillance category. To have a win in this category, you must target the device that is fully integrated into a surveillance system during normal state of operations with all necessary configurations completed. Entries that require physical access are out of scope, so no more showing QR codes to cameras. An attempt in this category must be launched against the target’s exposed network services, RF attack surface, or exposed features from the contestant’s laptop within the contest network.

We’ve dabbled with wearable devices in the past, but the latest tech from Meta piqued our interest once more. For this year’s event, we are including the Meta Ray-Ban Smart Glasses and the Meta Quest 3/3S as targets. We also have two levels of winning – the bigger prize will go to exploits that require no interaction, but we’ll also award one-interaction exploits as well. Additionally, each target can be targeted remotely, in close proximity, or with limited physical access. We’re hoping that with so many different options to choose from, contestants will bring something interesting for us to see. Here’s the award breakdown for the Wearable Devices category:

Master of Pwn

No Pwn2Own contest would be complete without crowning a Master of Pwn, which signifies the overall winner of the competition. Earning the title results in a slick trophy, a different sort of wearable, and brings with it an additional 65,000 ZDI reward points (instant Platinum status in 2026).

For those not familiar with how it works, points are accumulated for each successful attempt. While only the first demonstration in a category wins the full cash award, each successful entry claims the full number of Master of Pwn points. Since the order of attempts is determined by a random draw, those who receive later slots can still claim the Master of Pwn title – even if they earn a lower cash payout. As with previous contests, there are penalties for withdrawing from an attempt once you register for it.

The Complete Details

 The full set of rules for Pwn2Own Ireland 2025 can be found here. They may be changed at any time without notice. We highly encourage potential entrants to read the rules thoroughly and completely, should they choose to participate. We also encourage contestants to read this blog covering what to expect when participating in Pwn2Own.

Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at pwn2own@trendmicro.com to begin the registration process. (Email only, please; queries via social media, blog post, or other means will not be acknowledged or answered.) If we receive more than one registration for any category, we’ll hold a random drawing to determine the contest order. Registration closes at 5:00 p.m. Irish Standard Time on Oct 16th, 2025.

The Results

We’ll be blogging and tweeting results in real-time throughout the competition. Be sure to keep an eye on the blog for the latest information. Follow us on Twitter at @thezdi and @trendmicro, and keep an eye on the #P2OIreland hashtag for continuing coverage.

We look forward to seeing everyone in Cork, and we look forward to seeing what new exploits and attack techniques they bring with them.

With special thanks to our Pwn2Own Ireland partner Meta

And co-sponsors, Synology and QNAP, for providing their assistance and technology.

©2025 Trend Micro Incorporated. All rights reserved. PWN2OWN, ZERO DAY INITIATIVE, ZDI, and Trend Micro are trademarks or registered trademarks of Trend Micro Incorporated. All other trademarks and trade names are the property of their respective owners.