WhatsApp 0-Click RCE Exploit Earns $1,000,000 at Pwn2Own Ireland 2025

The cybersecurity world’s most prestigious hacking competition is returning to Cork, Ireland, with its biggest WhatsApp bounty ever.

Trend Micro’s Zero Day Initiative has announced that Pwn2Own Ireland 2025 will offer $1,000,000 for a zero-click WhatsApp exploit leading to remote code execution, marking a dramatic increase from last year’s $300,000 prize that went unclaimed.

The partnership reflects the critical importance of securing WhatsApp, which serves over three billion users globally.

Last year’s event saw no successful attempts against the messaging platform despite offering substantial rewards, prompting organizers to triple the top prize to provide “the needed motivation”.

Meta has joined as a co-sponsor for the second consecutive year, significantly amplifying the stakes for WhatsApp security research.

The expanded messaging category now includes multiple prize tiers beyond the headline $1,000,000 bounty.

Lesser cash awards will be available for other WhatsApp exploits, including one-click vulnerabilities and non-code execution bugs.

This represents a significant evolution from previous years, where the focus was primarily on achieving code execution.

WhatsApp 0-Click RCE Exploit

Scheduled for October 21-24, 2025, the competition will once again take place at Trend Micro’s Cork offices, with the closing ceremony at the historic Cork City Gaol.

The event will feature eight distinct categories targeting modern consumer and enterprise technologies:

The mobile phone category introduces a new USB attack vector, requiring researchers to compromise locked devices through the exposed USB port.

Traditional attack vectors including NFC, Wi-Fi, Bluetooth, and baseband remain available, with prizes ranging up to $300,000 for complete device compromises with kernel access.

The SOHO Smashup category returns with a more challenging device list, requiring researchers to compromise two connected devices within 30 minutes to earn $100,000 and 10 Master of Pwn points.

This category addresses the growing security concerns around work-from-home environments where enterprise network perimeters have extended to residential settings.

Building on Previous Success

Pwn2Own Ireland 2024 addressed the contest’s value to the security community, with researchers discovering over 70 unique zero-day vulnerabilities and earning $1,066,625 in total prizes.

An attempt in this category must be launched against the target’s exposed network services, RF attack surface, or exposed features from the contestant’s laptop within the contest network.

Vietnamese team Viettel Cyber Security claimed the Master of Pwn title with 33 points and $205,000 in earnings.

The event’s success validated the move to Ireland and established Cork as a new hub for international cybersecurity research.

The upcoming 2025 event builds on these foundations while raising the stakes considerably. Registration closes at 5:00 p.m.

Irish Standard Time on October 16th, 2025, with no exceptions for late entries. The random drawing system will determine the order of attempts, ensuring fair competition regardless of submission timing.

With returning co-sponsors Synology and QNAP providing technical support alongside Meta’s substantial investment, Pwn2Own Ireland 2025 promises to be the most significant iteration yet.

The million-dollar WhatsApp bounty represents more than just a prize—it’s a clear signal that securing critical communication infrastructure remains a top priority for the global cybersecurity community.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.