Pwn2Own Day 2 Highlights

October 23, 2025 Faeem BLOGS 0

Researchers exploited 56 unique zero-days on Day 2 of Pwn2Own Ireland 2025, earning $792,750. High‑impact demos included a five‑bug chain compromising the Samsung Galaxy S25, multiple NAS and printer compromises, and rapid exploit of a QNAP device. Vendors have 90 days to patch before public disclosure.

What Happened

  • Competition targeted flagship phones, NAS devices, printers, smart home gear, and messaging apps.
  • Teams chained multiple vulnerabilities to achieve full compromise of locked devices and network appliances.
  • Notable payouts included $50,000 for a five‑bug Samsung Galaxy S25 chain and multiple $20,000 awards for NAS and IoT device breakins.
  • ZDI coordinates disclosure timelines so vendors can patch before vulnerabilities are publicly released.

Technical Wins and Attack Vectors

  • Multi‑stage chaining: Exploits combined browser, kernel, and application bugs to escalate from sandbox escape to remote code execution.
  • USB and physical attack vectors: Contest added USB attacks against locked phones, expanding real‑world threat modeling.
  • Supply‑side targets: NAS devices, printers, and bridges were frequently exploited via web interfaces, firmware parsing bugs, and DLL side‑loading.
  • Rapid weaponization of n‑days: Demonstrations show how quickly researchers can turn obscure flaws into full compromise chains.

Why This Matters

  • Defence surface is broad: Mobile handsets, office printers, and NAS appliances are entry points into corporate networks.
  • Developer and vendor risk: Embedded components, third‑party libraries, and firmware parsers are recurring weak links.
  • Operational impact: Exploits against devices used in offices, homes, and data centers can lead to data theft, lateral movement, and supply‑chain compromise.
  • Patch urgency: The 90‑day disclosure clock forces accelerated vendor response and real‑world risk for unpatched deployments.

Practical Takeaways

  • For Vendors: Prioritize fuzzing and secure parsing in firmware; enforce code signing and reproducible builds; maintain a fast patch cadence and customer communication playbook.
  • For Security Teams: Inventory and classify device risk; implement network segmentation for printers, NAS, and IoT; apply compensating controls when patches lag.
  • For Developers: Treat third‑party libs as prime attack surface; adopt defensive coding, memory‑safe languages where feasible, and continuous fuzz testing.
  • For Executives: Fund secure development lifecycle processes and emergency patching capacity; include device compromise scenarios in tabletop exercises.

Thinking points

  • “56 zero‑days in one day. Your printer is more interesting to attackers than you think.”
  • “Pwn2Own proves a simple fact: security is a product discipline, not just a security team problem.”
  • “If you’re not patching firmware, you’re accepting risk—period.”

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.