Pwn2Own Automotive 2026 Demonstrates Zero-Day Exploits Against Tesla IVI and EV Charging Ecosystem
Security researchers demonstrated dozens of previously unknown vulnerabilities during Pwn2Own Automotive 2026 in Tokyo, including successful compromise of a Tesla infotainment system and multiple EV chargers and in-vehicle infotainment (IVI) products. On day one, researchers earned significant payouts after chaining bugs to achieve root-level access and code execution across targets; reported examples included a USB-based exploit chain against Tesla’s infotainment system to obtain root privileges, plus successful attacks against products from Sony, Kenwood, Alpine, and several EV charging vendors. Under the contest rules, affected vendors receive a 90-day window to produce patches before Trend Micro’s Zero Day Initiative (ZDI) discloses the vulnerabilities.
ZDI’s day-one results detail multiple winning exploit chains and vulnerability classes used against automotive-adjacent systems, including a stack-based buffer overflow yielding a root shell on an Alpine head unit, exploit chains against an Autel charger (including CWE-306 and CWE-347) enabling charging-signal manipulation, a hardcoded credential (CWE-798) leveraged for code execution against the Grizzl-E Smart 40A, and a command injection used against the ChargePoint Home Flex. ZDI’s published schedule for subsequent days shows continued focus on the same target set (e.g., Kenwood DNR1007XR, Sony XAV-9500ES, Phoenix Contact CHARX SEC-3150, Alpitronic HYC50, and Grizzl-E Smart 40A), indicating additional attempts and potential further zero-day disclosures as the competition progresses.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Fuzzware.io wins Master of Pwn at Pwn2Own Automotive 2026
At the close of the contest, Fuzzware.io was named Master of Pwn with 28 points and $215,500 in winnings. The team led the field through multiple successful exploit demonstrations against EV charging and automotive-related targets.
Day Three concludes event with 76 zero-days and $1.047 million awarded
Pwn2Own Automotive 2026 finished after three days with 76 unique zero-day vulnerabilities demonstrated and total prize money of $1,047,000. Final-day exploits affected head units and EV charging equipment, including issues such as TOCTOU, race conditions, permission flaws, and memory corruption.
Day Two adds 29 more zero-days and pushes total payouts to $955,750
On the second day of the competition, researchers demonstrated 29 additional unique zero-day vulnerabilities and earned $439,250. After two days, the event total reached 66 zero-days and $955,750 in awards, with Fuzzware.io leading the standings and several entries marked as collision cases.
ZDI begins coordinated disclosure with 90-day vendor patch window
Under Pwn2Own rules, the Zero Day Initiative reported the demonstrated vulnerabilities to affected vendors after the contest submissions, giving them 90 days to develop fixes before public technical disclosure. This applied to the zero-days uncovered across automotive infotainment, EV charging, and operating system targets.
Day One opens with 37 zero-days and Tesla infotainment compromise
On the first day of Pwn2Own Automotive 2026, researchers demonstrated 37 unique zero-day vulnerabilities and earned $516,500. Successful attacks included Synacktiv gaining root on Tesla's infotainment system via a USB-based exploit chain, along with compromises of Sony, Alpine, and multiple EV charging products.
Pwn2Own Automotive 2026 scheduled for January 21–23 in Tokyo
Trend Micro's Zero Day Initiative announced the Pwn2Own Automotive 2026 contest at the Automotive World conference in Tokyo, with targets including fully patched IVI systems, EV chargers, and Automotive Grade Linux. A Day Two schedule published by ZDI listed researchers, products, and prize categories for January 22 demonstrations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
14 references tracked. Mallory keeps watching after this page renders.
Pwn2Own Automotive 2026 Tokyo - TheCyberThrone
thecyberthrone.in
Open sourceAutomotive systems get pwned at Pwn2Own Automotive 2026 • The Register
go.theregister.com
Open sourceHackers get $1,047,000 for 76 zero-days at Pwn2Own Automotive 2026
bleepingcomputer.com
Open source76 Zero-day Vulnerabilities Uncovered by Hackers on Pwn2Own Automotive 2026
cybersecuritynews.com
Open sourceZero Day Initiative - Pwn2Own Automotive 2026 - Day Two Results
thezdi.com
Open sourceTesla hacked, 37 zero-days demoed at Pwn2Own Automotive 2026
bleepingcomputer.com
Open sourceZero Day Initiative - Pwn2Own Automotive 2026 - Day One Results
thezdi.com
Open sourceZero Day Initiative - Pwn2Own Automotive 2026 - The Full Schedule
thezdi.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Pwn2Own Berlin Zero-Days Hit Edge, Windows 11, and AI Platforms
Researchers at **Pwn2Own Berlin 2026** earned **$523,000** on the first day after demonstrating **24 unique zero-day vulnerabilities** against fully patched targets spanning browsers, operating systems, AI platforms, and NVIDIA-related infrastructure. The standout exploit came from **Orange Tsai** of **DEVCORE Research Team**, who chained **four logic bugs** to escape the **Microsoft Edge** sandbox and collected **$175,000**. **Windows 11** was also successfully compromised three times through separate local privilege-escalation zero-days, underscoring continued risk in core desktop platforms. Other successful demonstrations targeted **Red Hat Linux for Workstations**, **NVIDIA Container Toolkit**, **NVIDIA Megatron Bridge**, **LiteLLM**, **Chroma**, **OpenAI Codex**, and **LM Studio**, showing that enterprise AI tooling was a major attack surface at the event. Some attempts, including attacks against **Oracle Autonomous AI Database** and one **OpenAI Codex** entry, failed, but AI products still featured prominently as the competition’s enterprise-and-AI theme drove testing. After day one, **DEVCORE Research Team** led the standings with **$205,000**, and disclosed bugs now move into the contest’s **90-day vendor remediation window**.
May 25, 2026
Pwn2Own Ireland 2025 Day Two: Multiple Zero-Day Exploits Demonstrated Across Consumer Devices
Security researchers at Pwn2Own Ireland 2025 demonstrated 56 unique zero-day vulnerabilities across a range of consumer devices on the second day of the competition, earning a total of $792,750 in rewards. Notable exploits included a major Samsung Galaxy S25 compromise by The Summoning Team and Mobile Hacking Lab, who chained five vulnerabilities to achieve their result, as well as successful attacks against QNAP TS-453E, Synology DS925+, Canon imageCLASS MF654Cdw printer, Home Automation Green, and Phillips Hue Bridge. The event featured participation from leading teams and individuals, with The Summoning Team leading the scoreboard after their Samsung Galaxy exploit, and other teams such as CyCraft, Verichains, and Qrious Secure also earning significant rewards for their discoveries. The competition, sponsored by Meta, Synology, and QNAP, covered eight categories including flagship smartphones, printers, network storage, home networking gear, messaging apps, smart home and surveillance devices, and wearables. Vendors now have 90 days to address the vulnerabilities before public disclosure. Some exploits, such as the Synology BeeStation Plus, were ruled out of scope for the competition. The event highlights the ongoing risks posed by zero-day vulnerabilities in widely used consumer and enterprise devices, emphasizing the importance of coordinated vulnerability disclosure and rapid patching by vendors.
Mar 21, 2026
Pwn2Own Ireland 2025 Day One Exploits and Results
On the first day of Pwn2Own Ireland 2025, security researchers demonstrated the exploitation of 34 unique zero-day vulnerabilities across a wide range of consumer and enterprise devices. The event, organized by Trend Micro's Zero Day Initiative (ZDI), awarded a total of $522,500 in cash prizes to participating teams and individuals for their successful exploits. One of the most notable achievements was by Team DDOS, who chained eight zero-day vulnerabilities to compromise the QNAP Qhora-322 Ethernet wireless router via its WAN interface and subsequently gained access to a QNAP TS-453E NAS device, earning them $100,000 and 8 Master of Pwn points. Multiple teams, including Synacktiv, Summoning Team, DEVCORE, and Rapid7, achieved root-level code execution on devices such as the Synology BeeStation Plus, Synology DiskStation DS925+, QNAP TS-453E, and Home Assistant Green, each receiving $40,000 for their efforts. STARLabs, Team PetoWorks, Team ANHTUD, and Ierae researchers successfully exploited the Canon imageCLASS MF654Cdw multifunction laser printer in four separate attempts, highlighting the device's vulnerability. STARLabs also managed to hack the Sonos Era 300 smart speaker, earning $50,000, while Team ANHTUD exploited the Philips Hue Bridge for a $40,000 reward. The Summoning Team used a two-zero-day exploit chain to gain root on the Synology ActiveProtect Appliance DP320, securing an additional $50,000. By the end of the day, the Summoning Team led the Master of Pwn leaderboard with 11.5 points, closely followed by Team DDOS. The competition featured eight categories, including flagship smartphones, messaging apps, smart home devices, printers, and home networking equipment, with a total prize pool of up to $2,000,000 and a record $1,000,000 single prize for a 0-click WhatsApp exploit. The ZDI coordinates responsible disclosure with affected vendors, granting them 90 days to patch vulnerabilities before public disclosure. The event's schedule included a diverse set of targets and participants, with each attempt carefully timed and monitored. Technical details of the exploits ranged from stack-based and heap-based buffer overflows to complex exploit chains involving multiple zero-days. The competition not only showcased the skills of top security researchers but also contributed to improving the security posture of widely used devices. The responsible disclosure process ensures that vendors are alerted to critical vulnerabilities before they can be weaponized by malicious actors. The first day of Pwn2Own Ireland 2025 underscored the ongoing need for robust security research and proactive vulnerability management in the technology ecosystem. The event's results will drive future security updates and influence best practices across the industry. The high-profile nature of the competition and the significant financial incentives continue to attract elite researchers and teams from around the world.
Apr 19, 2026