Samsung’s flagship smartphone, the Galaxy S25, suffered a double blow at Pwn2Own Ireland 2025, where security researchers successfully exploited severe vulnerabilities that allowed remote activation of the phone’s camera and GPS tracking.
The incidents underscored the complexity of modern smartphone defenses and the persistence of skilled ethical hackers testing them at the international competition in Cork.
The event, organized by Trend Micro’s Zero Day Initiative, offers top security researchers an ethical way to expose vulnerabilities.
By responsibly disclosing flaws to affected manufacturers, these experts help harden defenses before bad actors can take advantage. Samsung now faces a 90-day window to issue fixes for the discovered zero-days.
What happened at Pwn2Own Ireland 2025?
Two separate teams compromised Samsung’s Galaxy S25 during the competition between October 21 and 24. On the second day, Ken Gannon from Mobile Hacking Lab and Dimitrios Valsamaras of the Summoning Team demonstrated a chained exploit using five undisclosed zero-day vulnerabilities to achieve remote code execution. Their success earned them $50,000 and five Master of Pwn points.
A day later, Ben R. and Georgi G. from Interrupt Labs performed a similar feat, crafting a unique exploit chain that silently hijacked the device’s camera and GPS capabilities.
This second demonstration confirmed that the vulnerabilities could be triggered remotely, emphasizing the seriousness of the flaws.
Did you know?
Pwn2Own began in 2007 as a browser hacking contest and now covers everything from smartphones to electric vehicles.
How hackers breached the Galaxy S25?
Both exploits relied on improper input validation deep within the Galaxy S25’s software stack. By chaining multiple vulnerabilities, researchers created a sequence allowing unauthorized code execution.
This combination bypassed Samsung’s Knox protections and sandboxing layers designed to prevent untrusted actions.
According to the Zero Day Initiative, exploit chains of this kind reveal how minor coding oversights can align to compromise seemingly secure ecosystems.
Despite Samsung’s use of the Android 16 OS and the improved One UI 8 layer, the flaws demonstrated that no mobile platform remains entirely impervious to skilled ethical testing.
What makes these zero-day flaws critical?
The term “zero-day” refers to flaws that are unknown to the vendor, meaning Samsung had no prior notice before they were discovered. Such vulnerabilities are particularly dangerous because they provide opportunities for stealthy exploitation until patched.
By discovering and disclosing them responsibly, researchers reduce potential real-world impact. The Pwn2Own contest offers high rewards precisely because these vulnerabilities are rare and powerful.
A single exploit chain that allows remote code execution and access to a camera or location service can compromise a user’s privacy in seconds. Identifying these weaknesses under controlled conditions prevents far more damaging outcomes in real settings.
ALSO READ | Why 3I/ATLAS drill matters for planetary defense readiness
How is Samsung responding to the discoveries?
Samsung now has 90 days under Pwn2Own’s disclosure rules to fully patch the vulnerabilities. The company is expected to include fixes in either the November or December 2025 security updates as part of its regular monthly rollout cycle.
These patches follow the October 2025 update, which addressed 33 unrelated vulnerabilities across Galaxy devices.
In a statement, Samsung emphasized its commitment to continuous device protection, highlighting the advantage of voluntary researcher disclosures over malicious intrusions.
The company’s Knox Enhanced Encrypted Protection and Knox Matrix will continue evolving to mitigate future threats while maintaining device usability.
What does this mean for smartphone security?
Events like Pwn2Own serve as valuable proving grounds for the cybersecurity ecosystem. They demonstrate the ongoing need for bug bounty programs, coordinated disclosures, and research investment from both the private and public sectors.
The competition has evolved into a platform for cooperation instead of confrontation between hackers and manufacturers.
The Galaxy S25 breaches highlight that even flagship smartphones from leading vendors can contain exploitable flaws. For end users, timely software updates remain the most direct defense.
The industry continues to move toward AI‑assisted verification and hardware-based isolation, yet human ingenuity on both sides of cybersecurity keeps the contest alive.
Through ethical discovery, every revealed zero-day helps manufacturers make millions of devices more secure.
Pwn2Own Ireland 2025 may have spotlighted vulnerabilities in Samsung’s crown jewel, but it also reinforced the resilience of an industry built on collaboration rather than concealment.
As researchers refine their craft and vendors tighten their defenses, the next generation of smartphones will emerge better protected against the world’s most advanced exploitation chains.
The lessons from Pwn2Own 2025 are already shaping how future devices will be built, tested, and defended.
Comments (0)
Please sign in to leave a comment