CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

76 Zero-Day Exploits Demonstrated at Pwn2Own Automotive 2026

First reported
Last updated
2 unique sources, 4 articles

Summary

Hide ▲

Security researchers have successfully exploited 76 zero-day vulnerabilities in various automotive systems during the Pwn2Own Automotive 2026 competition, earning a total of $1,047,000 in cash awards. The hacked systems include the Tesla Infotainment System, Sony XAV-9500ES, Alpitronic HYC50 Charging Station, Autel charger, Kenwood DNR1007XR, Phoenix Contact CHARX SEC-3150, ChargePoint Home Flex, Grizzl-E Smart 40A, Alpine iLX-F511 multimedia receiver, and Automotive Grade Linux. The vulnerabilities were demonstrated in Tokyo, Japan, during the Automotive World auto conference, from January 21 to January 23, 2026. The researchers earned significant cash rewards for their exploits, with Team Fuzzware.io winning the contest after taking home $215,000 in cash, followed by Team DDOS with $100,750 and Synacktiv with $85,000. Vendors have 90 days to develop and release security fixes before TrendMicro's Zero Day Initiative publicly discloses the flaws. The contest highlighted the insecurities of IT and operational-technology (OT) components of vehicle systems, with a focus on aftermarket in-vehicle infotainment (IVI) systems and electric-vehicle (EV) chargers. Researchers demonstrated that EV chargers, while improved, still possess a large attack surface. The contest also banned specific vulnerabilities that infotainment-system manufacturers had not patched from the previous year.

Timeline

  1. 23.01.2026 14:50 2 articles · 1d ago

    76 Zero-Day Exploits Demonstrated at Pwn2Own Automotive 2026

    The Pwn2Own Automotive 2026 competition concluded with security researchers earning $1,047,000 after exploiting 76 zero-day vulnerabilities. Team Fuzzware.io won the contest with $215,000 in cash awards, followed by Team DDOS with $100,750 and Synacktiv with $85,000. Additional details include Team Fuzzware.io earning an extra $2,500 after a bug collision while attempting to root an Alpine iLX-F511 multimedia receiver. The contest highlighted the insecurities of IT and operational-technology (OT) components of vehicle systems, with a focus on aftermarket in-vehicle infotainment (IVI) systems and electric-vehicle (EV) chargers. Researchers demonstrated that EV chargers, while improved, still possess a large attack surface. The contest also banned specific vulnerabilities that infotainment-system manufacturers had not patched from the previous year.

    Show sources
    Open in new tab
  2. 22.01.2026 14:30 2 articles · 2d ago

    29 Zero-Day Exploits Demonstrated on Second Day of Pwn2Own Automotive 2026

    On the second day of Pwn2Own Automotive 2026, security researchers exploited 29 unique zero-days, earning $439,250 in cash awards. Fuzzware.io led the competition with $213,000 earned after the first two days. Additional teams earned significant rewards for exploiting various automotive systems, including the Phoenix Contact CHARX SEC-3150 charging controller, the ChargePoint Home Flex EV charger, the Grizzl-E Smart 40A EV charging station, the Kenwood DNR1007XR navigation receiver, the Alpine iLX-F511 multimedia receiver, Automotive Grade Linux, and the Alpitronic HYC50 charging station. The total number of zero-day vulnerabilities exploited over the first two days reached 66, with researchers earning $955,750 in cash awards.

    Show sources
    Open in new tab
  3. 21.01.2026 14:16 3 articles · 3d ago

    37 Zero-Day Exploits Demonstrated at Pwn2Own Automotive 2026

    On the first day of the Pwn2Own Automotive 2026 competition, security researchers successfully exploited 37 zero-day vulnerabilities in various automotive systems, including the Tesla Infotainment System, Sony XAV-9500ES, Alpitronic HYC50 Charging Station, Autel charger, Kenwood DNR1007XR, Phoenix Contact CHARX SEC-3150, ChargePoint Home Flex, and Grizzl-E Smart 40A. The vulnerabilities were demonstrated in Tokyo, Japan, during the Automotive World auto conference, from January 21 to January 23, 2026. The researchers earned significant cash rewards for their exploits, with the Synacktiv Team earning $35,000 for hacking the Tesla Infotainment System and $20,000 for the Sony XAV-9500ES. Other teams also earned substantial rewards for exploiting vulnerabilities in various charging stations and navigation systems. Vendors have 90 days to develop and release security fixes before TrendMicro's Zero Day Initiative publicly discloses the flaws.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Increased ICS Vulnerability Exploits and Hacktivist Activity in 2025

In 2025, cyber threat actors, including both cybercriminals and hacktivists, significantly increased their attacks on industrial control systems (ICS) and operational technology (OT) environments. The number of ICS vulnerability disclosures nearly doubled compared to 2024, with Siemens and Schneider Electric being the most affected vendors. Ransomware attacks also surged, particularly targeting manufacturing and healthcare sectors, while hacktivist groups focused on energy, utilities, and transportation sectors. The report predicts continued targeting of exposed HMI and SCADA systems in 2026.

Open in new tab

73 Zero-day Vulnerabilities Exploited in Pwn2Own Ireland 2025

The Pwn2Own Ireland 2025 hacking competition concluded with security researchers collecting $1,024,750 in cash awards after exploiting 73 zero-day vulnerabilities. The event, held in Cork, Ireland, targeted vulnerabilities in various devices, including smartphones, messaging apps, smart home devices, printers, and more. The Zero Day Initiative (ZDI) operates the event to identify security flaws before threat actors can exploit them. Summoning Team won the competition with 22 Master of Pwn points and $187,500 earned throughout the three-day event. Team ANHTUD secured the second position with $76,750 and 11.5 Master of Pwn points, while Team Synactiv took third place with $90,000 in prizes and 11 Master of Pwn points. The event featured eight categories, including new attack vectors for mobile devices, and offered a $1 million reward for a zero-click WhatsApp exploit. On the first day, researchers demoed 34 unique zero-days and collected $522,500 in cash awards. Team DDOS chained eight zero-day flaws to hack a QNAP Qhora-322 Ethernet wireless router and gain access to a QNAP TS-453E NAS device, earning $100,000. On the second day, researchers exploited 56 unique zero-day vulnerabilities and collected $792,750 in cash awards. Ken Gannon and Dimitrios Valsamaras hacked the Samsung Galaxy S25, earning $50,000 and 5 Master of Pwn points. On the third day, the Samsung Galaxy S25 was hacked by Interrupt Labs via an improper input validation bug, earning 5 Master of Pwn points and $50,000.

Open in new tab

Bring Your Own Car (BYOC) Attack Demonstrated

Researchers demonstrated a proof-of-concept (PoC) attack chain that started in a parked car and ended in corporate Linux servers and ESXi hypervisors. The attack exploited the connection between a driver's phone and the car's Bluetooth system, using it as an initial access vector into the corporate network. The attack was demonstrated at BSides NYC on October 18, 2025, by Threatlight CTO Tim Shipp. The attack required only a few cheap gadgets and exploited a brief window when the driver connected their phone to the car's head unit. The attacker used a FlipperZero hacking multitool to spoof the car's Bluetooth signal and establish a connection to the phone. From there, the attacker gained access to the corporate network when the phone connected to it. The attack highlights the risks associated with bring-your-own-device (BYOD) policies and the need for comprehensive security measures that cover all potential entry points.

Open in new tab

Zeroday.Cloud Hacking Competition Announced with $4.5 Million in Prizes

The Zeroday.Cloud hacking competition, announced by Wiz, offered $4.5 million in bug bounties for exploits in widely used cloud software. The event, scheduled for December 10-11 at the Black Hat Europe conference in London, covered six categories: AI, Kubernetes, containers, web servers, databases, and DevOps tools. Participants had to submit entries by December 1 and demonstrate exploits live at the event. The competition faced controversy due to alleged rule copying from Trend Micro's Pwn2Own hacking competition. Wiz partnered with AWS, Google Cloud, and Microsoft for the event. Google is also in the process of acquiring Wiz for $32 billion. Specific bounties ranged from $10,000 to $300,000. During the event, researchers were awarded $320,000 for demonstrating 11 zero-day vulnerabilities across 13 hacking sessions. Exploits were successful in Redis, PostgreSQL, Grafana, the Linux kernel, and MariaDB. A container escape flaw in the Linux kernel allowed attackers to break isolation between cloud tenants. Team Xint Code was crowned champion, receiving $90,000 for their exploits.

Open in new tab

Critical deserialization flaw in DELMIA Apriso MOM actively exploited

A critical deserialization vulnerability (CVE-2025-5086) in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software is actively exploited, with a CVSS score of 9.0. The flaw affects versions from Release 2020 through Release 2025 and allows for remote code execution (RCE). In addition to CVE-2025-5086, two more vulnerabilities (CVE-2025-6205 and CVE-2025-6204) in DELMIA Apriso have been identified and are actively exploited. CVE-2025-6205 is a critical-severity missing authorization flaw, and CVE-2025-6204 is a high-severity code injection vulnerability. Both were patched by Dassault Systèmes in early August 2025. The vulnerabilities can be chained together to create accounts with elevated privileges and place executable files into a web-served directory. The product exposes a SOAP-based message processor endpoint that accepts XML payloads for bulk employee/identity provisioning and a file upload API used by portal components but that is accessible only post-authentication. DELMIA Apriso is used in production processes for digitalizing and monitoring, and is deployed in automotive, aerospace, electronics, high-tech, and industrial machinery divisions. CISA has added these flaws to its Known Exploited Vulnerabilities (KEV) catalog, and FCEB agencies are advised to apply updates by November 18, 2025, to secure their networks. Additionally, a new vulnerability (CVE-2025-24893) in XWiki has been identified and is actively exploited. This flaw allows for arbitrary remote code execution through a request to the /bin/get/Main/SolrSearch endpoint and is being exploited in a two-stage attack chain that delivers a cryptocurrency miner. The vulnerability was reported by John Kwak of Trend Micro in May 2024 and was addressed in XWiki versions 15.10.11, 16.4.1, and 16.5.0RC1 in June 2024. Technical details on the bug emerged roughly half a year later, and an NVD advisory was published in February 2025. Numerous proof-of-concept (PoC) exploits targeting the vulnerability have been available since early 2025. CrowdSec observed the vulnerability being abused for reconnaissance earlier this year but noted a decline in activity. VulnCheck identified in-the-wild attacks exploiting CVE-2025-24893 to deploy a cryptocurrency miner. The attacks proceed in a two-pass workflow separated by at least 20 minutes: the first pass stages a downloader, and the second pass executes it. The observed traffic originates from an IP address geolocated to Vietnam that has been associated with other malicious activity. The RondoDox botnet has been observed targeting unpatched XWiki instances to exploit CVE-2025-24893. VulnCheck observed a spike in exploitation attempts, with peaks on November 7 and November 11, 2025. RondoDox is adding new exploitation vectors to rope susceptible devices into a botnet for conducting DDoS attacks using HTTP, UDP, and TCP protocols. The first RondoDox exploit was observed on November 3, 2025. Other attacks have been observed exploiting the flaw to deliver cryptocurrency miners, establish a reverse shell, and conduct general probing activity using a Nuclei template for CVE-2025-24893.

Open in new tab