Hackers Exploited 73 0-Day Vulnerabilities and Earned $1,024,750
The event, hosted by the Zero Day Initiative (ZDI), distributed a staggering $1,024,750 in prizes, highlighting the growing sophistication of cybersecurity threats and defenses.
Over three days, 56 bugs were rewarded before the final stretch, with competitors pushing the limits on smart home gadgets, printers, and mobile devices.
This year’s contest rewarded innovation and encouraged collaboration among vendors. Companies like Meta, Synology, and QNAP supported the event.
The final day kicked off with high anticipation, as 17 attempts remained. Teams tackled everything from network-attached storage to surveillance cameras, often chaining multiple vulnerabilities for maximum impact.
Standout performances included creative demos, such as loading the classic game Doom onto a compromised printer’s LCD screen, a nod to hackers’ flair for the dramatic.
Chris Anastasio of Team Cluck earned $20,000 and 2 Master of Pwn points by exploiting a type confusion vulnerability in the Lexmark CX532adwe printer, granting full control over the device.
Ben R. and Georgi G. from Interrupt Labs earned $50,000 for finding a flaw in the Samsung Galaxy S25. This flaw allowed the camera and location tracking to turn on without the user’s consent. This serves as a reminder of the privacy risks in modern smartphones.
In the smart home arena, Xilokar combined four bugs, including an authentication bypass and underflow, to pwn the Philips Hue Bridge, securing $17,500 despite a partial collision with prior entries.
Similarly, Sina Kheirkhah of the Summoning Team used hard-coded credentials and an injection attack to take over a QNAP TS-453E NAS device, walking away with $20,000 and 4 points.
David Berard from Synacktiv impressed with a dual-bug attack on the Ubiquiti AI Pro surveillance camera, complete with a playful “Baby Shark” tune on the hacked system, earning $30,000 and 3 points.
Namnp from Viettel Cyber Security chained a crypto bypass and heap overflow to exploit another Philips Hue Bridge, boosting their Master of Pwn ranking into the top five with $20,000.
Interrupt Labs also shone in the printer category, using path traversal and untrusted search path bugs on the Lexmark CX532adwe for a reverse shell and that unforgettable Doom demo, claiming $10,000.
Collisions tempered some victories; for instance, Team Viettel’s heap-based buffer overflow on the Lexmark was unique but paired with a duplicate, still yielding $7,500.
The Thalium team from Thales Group faced similar hurdles on the Philips Hue Bridge, earning $13,500 for their novel heap overflow amid repeats.
Not every attempt succeeded. Daniel Frederic and Julien Cohen-Scali from Fuzzinglabs failed to fully exploit a QNAP TS-453E within the time limit, as did Frisk and Opcode from Inequation Group on the Meta Quest 3S VR headset. They achieved a denial-of-service, but fell short of code execution.
Withdrawals included CyCraft Technology’s Amazon Smart Plug attempt and Team Z3’s WhatsApp entry, reflecting the high stakes and preparation involved.
In the end, the Summoning Team clinched the Master of Pwn title, amassing points through multiple category wins that showcased their preparation.
Their victories, including Kheirkhah’s QNAP hack, underscored the value of diverse skills in vulnerability research. ZDI praised all participants for advancing security, noting the event’s role in responsibly disclosing flaws to vendors.
Summary of Vulnerabilities Exploited
| Researcher/Team | Target Device | Vulnerabilities Exploited | Prize | Master of Pwn Points | Notes |
|---|---|---|---|---|---|
| Xilokar (@Xilokar) | Philips Hue Bridge | Authentication bypass, underflow (plus two others) | $17,500 | 3.5 | Partial collision |
| Chris Anastasio (Team Cluck) | Lexmark CX532adwe Printer | Type confusion | $20,000 | 2 | Full success |
| Ben R. and Georgi G. (Interrupt Labs) | Samsung Galaxy S25 | Improper input validation | $50,000 | 5 | Enabled camera and location tracking |
| Yannik Marchand (kinnay) | Philips Hue Bridge | Incorrect Implementation of Authentication Algorithm (plus two others) | $13,500 | 2.75 | Partial collision |
| David Berard (Synacktiv) | Ubiquiti AI Pro (Surveillance) | Pair of bugs (unspecified) | $30,000 | 3 | Included “Baby Shark” demo |
| Sina Kheirkhah (@SinSinology, Summoning Team) | QNAP TS-453E | Hard-coded credentials, injection | $20,000 | 4 | Full success |
| Team Viettel | Lexmark CX532adwe Printer | Heap-based buffer overflow (plus one other) | $7,500 | 1.5 | Partial collision |
| Team @Neodyme | Canon imageCLASS MF654Cdw | Integer overflow | $10,000 | 2 | Full success |
| Interrupt Labs | Lexmark CX532adwe Printer | Path traversal, untrusted search path | $10,000 | 2 | Reverse shell and Doom demo |
| Thalium Team (Thales Group) | Philips Hue Bridge | Heap-based buffer overflow (plus two others) | $13,500 | 2.75 | Partial collision |
| namnp (Viettel Cyber Security) | Philips Hue Bridge | Crypto bypass, heap overflow | $20,000 | 4 | Full success |
Looking ahead, the next challenge awaits at Pwn2Own Automotive in Tokyo from January 21-23, 2026, expanding to include EV chargers and more.
Hackers are finding new vulnerabilities all the time. Events like this are important for strengthening digital security around the world.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Hackers Exploited 73 0-Day Vulnerabilities and Earned $1,024,750 appeared first on Cyber Security News.
Where's the Trump phone? We're going to keep talking about it every week. We've reached…
Means uses a common wellness influencer playbook that uses selective science to discredit institutions. |…
Artificial Intelligence is transforming nearly every area of modern life, and education is no exception.…
A China-linked advanced persistent threat actor has been actively targeting telecommunications providers across South America…
OpenAnt is an open-source, LLM-based vulnerability discovery tool designed to help security teams and open-source…
A medium-severity flaw in ActiveMQ (CVE-2025-66168, CVSS 5.4) allows authenticated attackers to trigger a Denial-of-Service…
This website uses cookies.