As the 2025 edition of Pwn2Own Ireland draws to a close, we are taking a beat to reflect on Rapid7’s participation and achievements, both this year and last, in the world of competitive zero day exploit development.
Pwn2Own is a zero day exploit competition run by the Zero Day Initiative (ZDI) and held across a number of locations each year. Every edition of the competition begins roughly three months prior to the event, whereby the organizer announces a list of targets, either popular software or hardware devices, that will be available for contestants to hack during the event.
The twist is that this is a zero day exploit competition; the targets will all be running the latest version of their software, meaning contestants must prepare in advance a zero-day exploit comprising as-yet unknown vulnerabilities, and then successfully demonstrate their exploit live at the event.
Why Rapid7 participates in Pwn2Own
Zero-day research is at the core of Rapid7’s vulnerability intelligence capabilities. Our research teams regularly find and disclose novel vulnerabilities affecting enterprise software and hardware appliances.
Our work in this space gives our customers industry-first product coverage for the vulnerabilities we find and disclose through our own CVD program, ensures our research teams maintain a technical capability that either matches or exceeds the threat actors we are defending against, and ultimately strengthens the broader cybersecurity ecosystem by identifying and fixing critical vulnerabilities before attackers can exploit them.
We believe we can continue to do our best work in this space by constantly raising the bar. Competing at an industry-leading event like Pwn2Own is the perfect example of this. Success at this competition is hard. The targets are hard targets; there are no easy wins or low-hanging fruit here.
The timeframes are short and fraught - many of the vendors whose products are in the competition are actively trying to patch out vulnerabilities before the contest begins. The competition is tough - vulnerability researchers from all over the world are competing against one another for the same rewards.
These are the constraints with which we love to challenge ourselves. Meeting the challenge raises the bar and ensures our vulnerability intelligence capabilities are world class.
Rapid7’s success at Pwn2Own… so far
Our success at Pwn2Own began last year at Pwn2Own Ireland 2024, where Rapid7 Security Researcher Ryan Emmons successfully hacked a Synology DiskStation DS1823xs+ on day one of the competition, winning the DiskStation target for the competitions Network Attacked Storage (NAS) category.
Ryan’s exploit not only included a new zero day vulnerability affecting the DiskStation, but also a novel exploitation technique to achieve unauthenticated remote code execution on the device. This is a great example of what Rapid7’s research capabilities in this space can achieve, going beyond a single vulnerability and into novel techniques. Ryan delivered a DEF CON 2025 talk this year, presenting his novel exploitation technique publicly for the first time to industry peers.
⠀
Rapid7’s Stephen Fewer (far left) and Ryan Emmons (center) at Pwn2Own Ireland 2024.
Image credit: Markus Gaasedelen
⠀
Our success at Pwn2Own has continued this year at Pwn2Own Ireland 2025, where Sr. Principal Security Researcher Stephen Fewer successfully hacked a Home Assistant Green device on day one of the competition, winning the Home Assistant Green target for the competition's Smart Home Devices category.
Stephen’s exploit consisted of three separate zero-day vulnerabilities, and included a container escape for unauthenticated remote code execution on the device's host OS.
What's next for Rapid7 Labs?
Into 2026 and beyond, our vulnerability intelligence team continues to:
Monitor and understand high-profile vulnerabilities that are either currently or likely to be exploited in the wild as part of Rapid7’s Emergent Threat Response (ETR) program.
Research new zero-day vulnerabilities to strengthen both our customer and the broader cybersecurity ecosystems.
Develop new Metasploit exploit modules to ensure defenders have reliable access to offensive tooling.
Push the boundary of what we can achieve in this space through research-informed intelligence.
Keep up with the work we do right here on the Rapid7 blog, as well as through our community vulnerability intelligence platform, AttackerKB.
- Research
- Zero-Day