$1M WhatsApp Zero-Click Exploit Withdrawn at Pwn2Own, Shared with Meta

by ddos · October 25, 2025

Researchers from Team Z3 have withdrawn their planned demonstration of a WhatsApp vulnerability at the Pwn2Own Ireland 2025 hacking competition — an exploit that could have earned them a record $1 million prize. According to the Zero Day Initiative (ZDI), the team decided not to present the exploit publicly, deeming their research “not yet sufficiently prepared.”

Despite this, Meta has expressed strong interest in the findings. Z3 will share the technical details with ZDI experts for preliminary review, after which they will be forwarded to WhatsApp’s engineering team. Organizers emphasized that the disclosure process is being coordinated responsibly to allow developers to patch the flaw should its validity be confirmed.

The competition took place from October 21 to 23 in Cork, Ireland, bringing together some of the world’s leading cybersecurity experts. Participants collectively earned $1,024,750 by demonstrating 73 zero-day vulnerabilities.

This year’s event featured attacks across eight categories — from printers and QNAP/Synology NAS systems to smart speakers, cameras, home routers, and flagship smartphones including the iPhone 16, Galaxy S25, and Pixel 9. For the first time in the tournament’s history, researchers were challenged to compromise a smartphone via its physical USB port, even with the screen locked.

The primary sponsors of the contest were Meta, QNAP, and Synology, with the event organized by the Trend Micro Zero Day Initiative — a program dedicated to identifying vulnerabilities before they can be exploited by threat actors. Following each demonstration, vendors are given 90 days to release security patches.

The overall winner was Summoning Team, earning $187,500 and 22 Master of Pwn points, thanks to successful exploits targeting the Galaxy S25, multiple Synology and QNAP NAS devices, the CC400W camera, and the Home Assistant Green system.

ANHTUD secured second place with $76,750 and 11.5 points, while Synacktiv ranked third with $90,000 and 11 points.

One of the standout moments of the competition was the Galaxy S25 hack by Interrupt Labs, whose researchers discovered an input validation flaw that allowed them to activate the device’s camera and geolocation functions.

According to ZDI, participants uncovered 34 unique zero-day vulnerabilities worth $522,500 on the first day, followed by 22 additional exploits totaling $267,500 on the second.

The next event in the series, Pwn2Own Automotive 2026, will take place in Tokyo and once again receive support from Tesla.