Researchers Find 63 Zero-Day Bugs at Latest Pwn2Own

Participants at the latest Pwn2Own competition have done their bit to make the digital world safer, after discovering scores of zero-day vulnerabilities in a range of products.

The contest is run by Trend Micro’s Zero Day Initiative (ZDI), the world’s largest vendor-agnostic bug bounty program.

Held at Trend Micro’s offices in Toronto, the three-day autumn competition doled out $934,750 to contestants, who worked to hack software from various manufacturers across several categories. All told, 26 contestants and teams attempted to exploit 66 target products. 

This year represented the tenth anniversary of the consumer-focused edition of the competition and featured a new category focusing on Small Office Home Office (SOHO) equipment.

That’s in recognition of the growing threat to systems used by home workers, which may represent an attractive route via which malicious actors can compromise corporate networks.

“We awarded another $55,000 today bringing our contest total to $989,750. Over the contest, we purchased 63 unique zero days,” said the ZDI’s Dustin Childs at the end of the final day.

“The Master of Pwn title came down to the wire, but the team from DEVCORE claimed their second title with winnings of $142,500 and 18.5 points. Team Viettel and the NCC group were close behind with 16.5 and 15.5 points respectively. Congratulations to all the contestants and Pwn2Own winners.”

Among the vendors whose products were hacked by contestants were HP, Mikrotik, Sonos, TP-Link, Ubiquiti, Western Digital, Lexmark and Netgear.

Some of the devices targeted included printers, routers, smart speakers, NAS devices and smartphones, such as the Samsung Galaxy S22.

Dozens of teams competed from around the world both in-person and remotely.

The vendors of hacked products will now have 120 days to patch the 63 zero-days found in their offerings before they are publicly disclosed by the ZDI.