Welcome to Day One of Pwn2Own Ireland 2025! We have 17 attempts today with some exciting research on display. We’ll be posting results here as we have them, and follow us on Twitter , Mastodon , and Bluesky .
Microsoft links Storm-1175 to GoAnywhere flaw CVE-2025-10035, exploited since September for Medusa ransomware.
Microsoft patched CVE-2025-55241 July 17, 2025; CVSS 10.0 Entra ID bug via legacy Graph enabled cross-tenant impersonation risking tenant compromise.
Over 84,000 instances of the Roundcube webmail software are vulnerable to CVE-2025-49113, a critical remote code execution (RCE) vulnerability with a publicly available exploit.
A zero-day vulnerability in the Linux kernel was discovered, utilizing OpenAI's o3 model. This finding, designated as CVE-2025-37899, marks a significant advancement in AI-assisted vulnerability research.
: EUVD comes into play not a moment too soon
Cisco fixes CVE-2025-20188, a 10.0 CVSS flaw tied to hardcoded JWT in wireless controllers, preventing root-level remote exploits.
Windows flaw CVE-2025-24054 actively exploited since March 19 to leak NTLM hashes via phishing attacks.
Fortinet patches CVE-2024-48887, a 9.3 CVSS FortiSwitch flaw, urging quick upgrades to avoid attacks.
Google fixed Chrome zero-day CVE-2025-2783 on Mar 20 after attacks exploited a sandbox bypass flaw.
Learn about CVE-2025-29927, a critical vulnerability in Next.js that impacts authorization checks in middleware.