Hackers exploit 29 zero-days on second day of Pwn2Own Automotive

On the second day of Pwn2Own Automotive 2026, security researchers collected $439,250 in cash awards after exploiting 29 unique zero-days.

The Pwn2Own Automotive hacking contest focuses on automotive technologies and takes place this week in Tokyo, Japan, from January 21 to January 23, during the Automotive World auto conference.

Throughout the competition, security researchers target fully patched electric vehicle (EV) chargers, in-vehicle infotainment (IVI) systems, and car operating systems (e.g., Automotive Grade Linux).

Fuzzware.io currently leads the competition’s leaderboard with $213,000 earned after the first two days, and has earned another $95,000 by hacking the Phoenix Contact CHARX SEC-3150 charging controller, the ChargePoint Home Flex EV charger, and the Grizzl-E Smart 40A EV charging station.

Sina Kheirkhah of Summoning Team collected another $40,000 after rooting the Kenwood DNR1007XR navigation receiver, the ChargePoint Home Flex, and the Alpine iLX-F511 multimedia receiver.

Rob Blakely of Technical Debt Collectors and Hank Chen of InnoEdge Labs were also awarded $40,000 each after demonstrating zero-day exploit chains targeting Automotive Grade Linux and the Alpitronic HYC50 charging station.

After the first two days of the contest, security researchers have earned $955,750 in cash awards after exploiting 66 zero-day vulnerabilities.

On the third day of Pwn2Own, the Grizzl-E Smart 40A will be targeted again by Slow Horses of Qrious Secure and the PetoWorks team, while the Juurin Oy team will go after the Alpitronic HYC50, and Ryo Kato will attempt to exploit the Autel MaxiCharger.

On the first day, Synacktiv Team earned $35,000 after successfully chaining an information leak and an out‑of‑bounds write flaw to obtain root permissions on the Tesla Infotainment System via a USB-based attack and an additional $20,000 cash award for chaining three zero-day flaws to gain root-level code execution on the Sony XAV-9500ES digital media receiver.

The full schedule for the second day and the results for each challenge are available here, while the complete schedule for Pwn2Own Automotive 2026 is available here.

During last year’s Pwn2Own Automotive competition, hackers collected $886,250 after exploiting 49 zero-days. The previous year, during the Pwn2Own Automotive 2024 contest, they collected another $1,323,750 after demoing 49 zero-day bugs and hacking a Tesla car twice.

Vendors have 90 days to develop and release security fixes for zero-day flaws that are exploited and reported during the Pwn2Own contest, before TrendMicro’s Zero Day Initiative publicly discloses them.

7 Security Best Practices for MCP

As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.

This free cheat sheet outlines 7 best practices you can start using today.

Download Now