Day One among Pwn2Own Automotive 2026, which delivered $516,500 USD for 37 zero-days, the occasion has now collected $955,750 USD throughout 66 distinctive vulnerabilities, demonstrating the automotive sector’s substantial assault floor.
The competitors showcased exploits focusing on a number of automobile subsystems, together with in-vehicle infotainment (IVI) programs, EV charging stations, and embedded Linux environments.
Researchers efficiently demonstrated command injection flaws, buffer overflows, authentication bypasses, and privilege escalation vulnerabilities throughout units manufactured by Alpine, Kenwood, Phoenix Contact, Alpitronic, and Autel.
Fuzzware.io emerged as a commanding chief within the Grasp of Pwn standings, demonstrating technical sophistication by means of advanced vulnerability chains.
The ultimate day of the competition brings (supply: zerodayinitiative )
Combining command injection vulnerabilities with protocol manipulation add-ons to maximise factors.
The staff exploited a number of bugs within the Phoenix Contact CHARX SEC-3150 and ChargePoint Residence Flex (CPH50-Ok) programs.
DDoS assault focusing on the Phoenix Contact CHARX SEC‑3150 through sign manipulation (supply: zerodayinitiative )
Their technique of chaining a number of vulnerabilities displays superior exploitation strategies required in fashionable automotive safety analysis.
Amongst Day Two’s standout achievements, Rob Blakely of Technical Debt Collectors efficiently chained three bugs: an out-of-bounds learn, reminiscence exhaustion, and a heap overflow towards Automotive Grade Linux, incomes $40,000 USD.
This exploit chain demonstrated the criticality of defending open-source automotive platforms used throughout the {industry}.
EV Charging Infrastructure Vulnerabilities Uncovered
Charging infrastructure emerged as a distinguished vulnerability vector, with a number of groups efficiently bypassing safety on EV charging stations.
Synacktiv exploited a stack-based buffer overflow within the Autel MaxiCharger AC Elite Residence 40A. On the similar time, the Summoning Staff demonstrated command-injection flaws in ChargePoint Residence Flex programs.
Focused the Autel MaxiCharger AC Elite Residence 40A (supply: zerodayinitiative )
These assaults underscore the safety implications of quickly increasing EV charging networks.
The occasion additionally documented collision exploits through which a number of groups independently found the identical vulnerabilities.
Fifteen collision submissions occurred throughout Day Two, decreasing general prize payouts however validating that particular safety flaws are discoverable by means of a number of analysis approaches.
Fuzzware.io’s commanding lead suggests the ultimate day could decide the Grasp of Pwn title, with technical execution and vulnerability discovery velocity changing into decisive components.
Based on zerodayinitiative, the cumulative vulnerability rely of 66 zero-days throughout two days highlights the breadth of automotive assault surfaces, from infotainment and charging protocols to embedded working programs.
Day Three will possible carry further discoveries because the competitors concludes.
The vulnerabilities disclosed at Pwn2Own inform vendor safety roadmaps and contribute to industry-wide hardening efforts throughout related automobile platforms.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
