Pwn2Own Ireland 2025: Major Cybersecurity Revelations & Critical Vulnerabilities - Cybersecurity Today

Summary5 min read

Cybersecurity Today: Pwn2Own Ireland 2025—Major Cybersecurity Revelations & Critical Vulnerabilities

Host: David Shipley (filling in for Jim Love)
Date: October 27, 2025

Episode Overview

This episode provides an in-depth analysis of the recent Pwn2Own Ireland 2025 event, where top security researchers uncovered numerous zero-day vulnerabilities across tech devices. The show dives into the broader implications of these findings for AI in cybersecurity, highlights an urgent Microsoft WSUS vulnerability and patching guidance, discusses the impact of the US government shutdown on federal cyberattack rates, and uncovers fresh North Korean cyber-espionage activity targeting European drone firms. The tone is urgent and informative, emphasizing that cybersecurity threats are increasingly intertwined with global politics and national security.

Key Discussion Points & Insights

1. Pwn2Own Ireland 2025: Outcomes & Unexpected Consistencies

Main Points:
- The elite hacking competition in Cork, Ireland resulted in 73 zero-day vulnerabilities disclosed and over $1 million in rewards ([00:20]).
- Despite AI hype, the volume and nature of vulnerabilities mimicked last year’s results:
  
  "Despite all the hype this year about AI supercharging hacking and defense, this year's results look almost identical to last year's... It's a fascinating reality check on what AI is and is not changing in cybersecurity right now." — David Shipley [01:04]
- Contest categories: smartphones, network appliances, routers, cameras, and smart home tech.
- New physical USB attack challenge reflects ongoing importance of device access—not just wireless attacks.
- Top teams:
  - Summoning Team: 22 points, $187,500; breached Samsung Galaxy S25, Synology NAS devices, and QNAP device.
  - Interrupt Labs: Exposed a Samsung Galaxy S25 input validation bug to access camera/location data.
  - Team Z3: Withdrew a potential $1M WhatsApp zero-day exploit to disclose privately (reason undisclosed).
Notable Moment:
- Human expertise is still irreplaceable:
  
  "AI isn't replacing skilled human researchers anytime soon... cybersecurity still relies on human curiosity, intuition and persistence, things AI simply does not have." — David Shipley [03:25]
Future Look: Tokyo 2026 will focus on connected cars, a sector lagging in baseline security ([04:30]).

2. Critical Microsoft WSUS Flaw & Ongoing Exploitation

Main Points:
- Microsoft issued an emergency (“out of band”) patch for a critical Windows Server Update Service (WSUS) vulnerability (CVE-2025-59287, CVSS 9.8) ([05:00]).
- The bug enables remote code execution via unsafe deserialization, using outdated binary formatter methods ([06:00]).
- Active exploitation began October 24. Attackers target ports 8530 and 8531 with Base64-encoded payloads.
- The flaw affects servers with the WSUS role enabled.
- Microsoft’s initial patch was incomplete; the fix now covers Windows Server 2012–2025, but immediate patching and service restart is urged.
Mitigation Advice:

"If you run WSUS, patch immediately and restart the service. If you can't, disable the WSUS role or block inbound traffic to port 8530 or 8531… Do not roll back those mitigations until you've applied the update." — David Shipley [08:42]
Government Challenge:
- CISA gave federal agencies until November 14 to patch—a surprisingly long window given the active exploitation.
- The delay may link to the ongoing US government shutdown, amplifying cyber risk ([09:32]).

3. US Government Shutdown & Surge in Attacks

Main Points:
- Since the October 1st shutdown, cyberattacks against federal agencies nearly doubled ([10:17]).
- 85% increase in attacks, with more than 555 million incidents expected by month’s end.
- Attacks are more targeted—using malicious ads, apps, phishing campaigns enticing unpaid workers with “quick cash” ([11:10]).
Staffing Crisis:
- Agencies operate with essential staff only; most working unpaid (VA: 97%, DOJ: 90%).
- Reduced cyber defense capabilities create a “perfect storm” for attackers.
Expert Perspective:

"That financial pressure makes government workers prime targets. Threat actors are launching deceptive ad campaigns and phishing lures, offering quick cash or loan forgiveness but leading to credential theft or malware." — David Shipley [12:04]
Long-Term Risk:
- Unpatched systems, halted security projects, and exhausted personnel could result in damage surfacing months later.
"Unpatched systems, stalled modernization projects and delayed responses create long term risk for the government." — David Shipley [13:40]

4. North Korean Espionage Targets European Drone Tech

Main Points:
- ESET detected Lazarus Group targeting European defense firms for UAV (drone) designs ([14:33]).
- Attack chain uses fake “job offer” PDFs and Trojanized readers to drop malware; recent twist: compromised open-source projects on GitHub.
- Attacks believed tied to North Korea’s efforts to reverse engineer battlefield drones, with deepening Russia–North Korea links for technology and munitions.
Sophisticated Methods:
- Attackers used DLL proxying, layer droppers/loaders, and legitimate open-source tools for stealth.
Analyst View:

"ESET researchers Peter Kanay and Alex Riipen said the evidence strongly suggests Lazarus was after intellectual property, not immediate chaos, a reminder that modern cyber conflict is often fought in the shadows one stolen design file at a time." — David Shipley [16:18]
Broader Impact:

"It also means that stolen drone intellectual property could be used to maim or kill further on the battlefield, upping the stakes even more for European and Western drone firms to protect their digital crown jewels." — David Shipley [17:01]

Memorable Quotes & Key Takeaways

On Human vs. AI in Cybersecurity:

"In the end, cybersecurity still relies on human curiosity, intuition and persistence, things AI simply does not have." — David Shipley [03:25]
On Patch Management:

"If you run WSUS, patch immediately and reboot… Not closing that hole is the equivalent of a cyber kick me sign." — David Shipley [09:15]
On Government Instability:

"Instability pushes talent away, even when the shutdown ends. Rebuilding trust and that workforce could take years." — Ilona Cohen, HackerOne (as cited by Shipley) [13:55]
Modern Cyber Conflict:

"Modern cyber conflict is often fought in the shadows one stolen design file at a time." — David Shipley [16:24]

Important Timestamps

00:20: Pwn2Own Ireland 2025 overview
03:25: Limits of AI in cybersecurity
05:00: Microsoft WSUS critical vulnerability explained
08:42: Immediate patching and mitigation guidance
10:17: US federal cyberattacks surge after government shutdown
14:33: ESET uncovers North Korean campaign against European drone firms
16:18: Lazarus Group’s espionage strategy and implications

Final Thoughts

Cybersecurity’s shifting landscape remains deeply human-driven, despite advancing AI tools.
There is rising urgency for timely patching (especially for widely used tools like WSUS), heightened by real-world events like government shutdowns.
State-aligned threat actors are leveraging global instability for strategic cyber advantage, with ripple effects much broader than immediate breaches.
As the episode closes, Shipley emphasizes:

"Cyber is far from a harmless crime. It's a tool now used by nation states as part of the full spectrum of modern warfare, from economic to kinetic to information warfare." [18:00]

Loading summary

Transcript1 lines

[00:00]
A
Hackers earn more than a million dollars for 73.0days at PWN to own Ireland Critical Microsoft WSUS flaw comes under active exploitation shutdown sparks 85% increase in US government cyber attacks and ESET says North Korea ramping up drone IP theft this is Cybersecurity today and I'm your host, Dave David Shipley. Let's get started. Last week, some of the best hackers in the world gathered in Cork, Ireland for pwn to own 2025, one of the few places where breaking things earns applause, not arrests. Over three days, researchers uncovered 73 zero day vulnerabilities and earned just over 1 million in prize money. That's impressive, but here's what's more interesting. Despite all the hype this year about AI supercharging, hacking and defense, this year's results look almost identical to last year's about the same number of vulnerabilities discovered about the same amount in payouts. It's a fascinating reality check on what AI is and is not changing in cybersecurity right now. Like 2024, this year's contest featured eight target categories, from smartphones and network appliance devices to routers, cameras and smart home tech. But organizers added a twist a new USB based challenge requiring teams to exploit locked smartphones via physical connection, not just over WI Fi or Bluetooth. It's a reminder that physical access still matters, especially as phones and wearables become the keys to digital identity. The summoning team topped the leaderboard with 22 masters of PWN points and 187,500 breaking into the Samsung Galaxy S25, several synology NAS drives and a QNAP device. Interrupt Labs earned attention by hacking the Galaxy S25 through an input validation flaw that exposed its camera and location data, proof that small bugs still have big consequences. And in a surprising move, Team Z3 withdrew from a potential $1 million WhatsApp zero day click exploit payday, opting instead for private disclosure through the Zero Day initiative and Meta's security team. That's a lot of money to leave on the table, and we may never fully know why. So why didn't AI shift the balance this year? Two reasons. First, AI isn't replacing skilled human researchers anytime soon. Today's LLM based tools just aren't capable of the kind of creative, high impact work. Second, as automation handles routine testing, the remaining vulnerabilities are tougher to find. That's the good news if defenders can keep up with patching, especially now that exploit Windows can shrink to just 15 minutes after a CVE is disclosed, we could see some positives from AI. In the end, cybersecurity still relies on human curiosity, intuition and persistence, things AI simply does not have. Next up, pwn to own Tokyo 2026 where researchers will target connected cars if Ireland 2025 showed AI hasn't changed the game yet, Tokyo might as vehicles become rolling computers linked to sensors, the cloud and smart cities and are decades behind in even catching the basic security issues. On Thursday, Microsoft took the unusual step of releasing an out of band patch that's a security update pushed outside of its normal patch Tuesday cycle to fix a critical vulnerability in the Windows Server update service, or WSUS. The flaw, tracked as CVE2025-59287, carries a CBSS score of 9.8. That's almost as bad as it gets and worse. Now there's a proof of concept exploit code Publicly available and active exploits in the wild are now happening. So what's going on? The bug discovered by researchers AT code white GmbH involves unsafe deserialization. That's a long standing weakness that lets attackers send specially crafted data to trick a program into executing malicious code. In this case, a vulnerable WSUS endpoint processes encrypted authorization cookies using an old binary formatter function, something Microsoft itself has warned developers not to use for years. Once triggered, the exploit gives an attacker remote code execution with system privileges essentially allows for full takeover of the affected server. The issue affects systems with WSUS server role enabled, and Microsoft says servers without that role are safe. Still, because WSUS is often deployed to manage software updates across large networks, compromised servers could become launchpads for massive attacks. Security firm Isecurity and the Dutch National Cybersecurity center confirmed exploitation began Oct. 24 with attackers using a base64 encoded payload to run commands silently through the Windows command shell. Huntress Labs also observed similar activity, noting exposed WSUs ports 8530 and 8531 were main targets. Microsoft reissued the patch after discovering an initial update did not fully mitigate the issue. The fix now covers all supported Windows server versions from 2012 through 2025. This is the second major critical vulnerability in the past six months, following the SharePoint issues, where a patch from Microsoft failed to fix things and bad things followed for organizations. If you run WSUS patch immediately and restart the service. If you can't disable WSUS role or block inbound Traffic to port 8530 or 8531 and don't roll back these mitigations until you've applied the update. If you run WSUs, patch immediately and reboot. If you don't follow instructions to mitigate it, and don't roll back those mitigations until you've applied the Update. CSET added CVE2025 59287 to its known Exploited vulnerabilities catalog and interestingly and surprisingly, gave Federal agencies until November 14th to Patch, which doesn't match how they've handled other similar major vulnerabilities of this kind of severity. This response may be tied to how bad things are right now for the US Federal government with the shutdown. The reality is, with active exploitation now observed, if you're running WSUS in the way that is vulnerable, do not wait to Patch. Not closing that hole is the equivalent of a cyber kick me sign. Since the US government shutdown on October 1, cyber attacks targeting federal employees have nearly doubled. With agencies frozen staff for load and cyber defense capability and capacity reduced, the shutdown has created a perfect storm. And threat actors are taking full advantage. Researchers at the Media Trust project More than 555 million cyber attacks against federal systems by month's end. They say that's an 85% jump over what they saw in September. But these aren't just random phishing blasts, CEO Chris Olson says. Many are targeted digital attacks through websites, apps and online ads interacting directly with government employees. Experts say the danger goes beyond immediate breaches. Justin Miller, former Secret Service agent now teaching cyber studies at the University of Tulsa, remembers past shutdowns vividly. He recalls receiving letters from mortgage companies explaining furlough and status letters that banks largely ignored. That financial pressure makes government workers prime targets. Threat actors are launching deceptive ad campaigns and phishing lures, offering quick cash or loan forgiveness but leading to credential theft or malware. An infected laptop or phone today could easily become the beachhead when those employees return to work. The Department of Veterans affairs has been the most targeted agency so far, followed by the Department of Justice. Both are heavily staffed with essential employees, people still working but unpaid and under incredible stress and strain. At the VA, nearly 97% of staff remain on duty unpaid. At justice, it's 90%. That means these agencies are running critical systems with minimum support. With two thirds of cese's workforce sitting at home, it's a dangerous equation. Low morale, few defenders and rising attacks, experts warn the real damage may unfold slowly. Unpatched systems, stalled modernization projects and delayed responses create long term risk for the government. And the shutdown undermines trust and harms employee retention, driving skilled cyber professionals out of the cyber service at a time when they are needed the most. As ilona Cohen from HackerOne put it, instability pushes talent away even when the shutdown ends. Rebuilding trust and that workforce could take years. Researchers at ESET have uncovered a new North Korean cyber espionage campaign targeting European defense companies, including several deeply involved in drone manufacturing. The activity, linked to the notorious Lazarus Group appears designed to steal proprietary UAV technology and manufacturing know how to likely to advance North Korea's own growing drone program. Esed said that this is part of the ongoing Operation Dream Job campaign, a long running Lazarus effort that uses fake job offers to compromise victims. Dilur usually arrives as a convincing PDF job Description paired with a Trojanized reader application that delivers malware once opened. In this latest wave, Lazarus infiltrated open source projects on GitHub and added the malicious loaders that ultimately install the Scoring Math T remote Access Trojan. Once inside, attackers gained full control of a targeted system able to manipulate files, collect data, execute new payloads, and quietly exfiltrate sensitive information. ESET reports that three European defense companies were hit so far, all located in central and southeastern Europe, and at Beast1 manufactures UAVs currently being used in Ukraine. The connection isn't accidental. Analysts believe Lazarus may be trying to reverse engineer Western drone designs seen on the battlefield, helping Pyongyang strengthen its own UAV capabilities. Unlike many Lazarus operations focused on theft or disruption, the campaign fits a classic espionage quiet, targeted and technically sophisticated. The group continues to evolve, using DLL proxying layer droppers and loaders for stealth and exploiting legitimate open source software to disguise attacks. ESET researchers Peter Kanay and Alex Riipen said the evidence strongly suggests Lazarus was after intellectual property, not immediate chaos, a reminder that modern cyber conflict is often fought in the shadows one stolen design file at a time. With Russia relying on North Korea more and more for workers and munitions, it's not a surprise to see Pyongyang ramp up spying in cyber to gain UAV designs. There's money to be made for the world's most isolated state, and that is a top priority. It also means that stolen drone intellectual property could be used to maim or kill further on the battlefield, upping the stakes even more for European and Western drone firms to protect their digital crown jewels. Those are your Updates for Monday, October 27th. The key takeaway this week Cyber is far from a harmless crime. It's a tool now used by nation states as part of the full spectrum of modern warfare, from economic to kinetic to information warfare. As Cybersecurity Awareness Month wraps up, it's never been more important to encourage everyone to to do their part and to teach them how to spot and stop cyber threats. We're always interested in your opinion and you can contact us@technewsday.com or leave a comment under the YouTube video. Please help us spread the word about the show. Think about leaving a like subscribing or leaving a review. And if you enjoy the show, please tell others we'd love to grow our audience and we need your help. I've been your host David Shipley, Jim Love will be back on Wednesday.