On the second day of Pwn2Own Automotive 2026, safety researchers collected $439,250 in money awards after exploiting 29 distinctive zero-days.
The Pwn2Own Automotive hacking contest focuses on automotive applied sciences and takes place this week in Tokyo, Japan, from January 21 to January 23, in the course of the Automotive World auto convention.
All through the competitors, safety researchers goal totally patched electrical automobile (EV) chargers, in-vehicle infotainment (IVI) methods, and automobile working methods (e.g., Automotive Grade Linux).
Fuzzware.io at present leads the competitors’s leaderboard with $213,000 earned after the primary two days, and has earned one other $95,000 by hacking the Phoenix Contact CHARX SEC-3150 charging controller, the ChargePoint House Flex EV charger, and the Grizzl-E Good 40A EV charging station.
Sina Kheirkhah of Summoning Group collected one other $40,000 after rooting the Kenwood DNR1007XR navigation receiver, the ChargePoint House Flex, and the Alpine iLX-F511 multimedia receiver.
Rob Blakely of Technical Debt Collectors and Hank Chen of InnoEdge Labs had been additionally awarded $40,000 every after demonstrating zero-day exploit chains concentrating on Automotive Grade Linux and the Alpitronic HYC50 charging station.
After the primary two days of the competition, safety researchers have earned $955,750 in money awards after exploiting 66 zero-day vulnerabilities.
On the third day of Pwn2Own, the Grizzl-E Good 40A might be focused once more by Sluggish Horses of Qrious Safe and the PetoWorks crew, whereas the Juurin Oy crew will go after the Alpitronic HYC50, and Ryo Kato will try to take advantage of the Autel MaxiCharger.
On the primary day, Synacktiv Group earned $35,000 after efficiently chaining an data leak and an out‑of‑bounds write flaw to get hold of root permissions on the Tesla Infotainment System through a USB-based assault and an extra $20,000 money award for chaining three zero-day flaws to realize root-level code execution on the Sony XAV-9500ES digital media receiver.
The complete schedule for the second day and the outcomes for every problem can be found right here, whereas the whole schedule for Pwn2Own Automotive 2026 is out there right here.
Throughout final yr’s Pwn2Own Automotive competitors, hackers collected $886,250 after exploiting 49 zero-days. The earlier yr, in the course of the Pwn2Own Automotive 2024 contest, they collected one other $1,323,750 after demoing 49 zero-day bugs and hacking a Tesla automobile twice.
Distributors have 90 days to develop and launch safety fixes for zero-day flaws which might be exploited and reported in the course of the Pwn2Own contest, earlier than TrendMicro’s Zero Day Initiative publicly discloses them.
As MCP (Mannequin Context Protocol) turns into the usual for connecting LLMs to instruments and knowledge, safety groups are transferring quick to maintain these new companies secure.
This free cheat sheet outlines 7 finest practices you can begin utilizing as we speak.
