CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

76 Zero-Day Exploits Demonstrated at Pwn2Own Automotive 2026

First reported
Last updated
2 unique sources, 5 articles

Summary

Hide ▲

Security researchers have demonstrated 76 zero-day vulnerabilities in automotive systems during Pwn2Own Automotive 2026, earning $1,047,000 in cash awards. Affected systems include in-vehicle infotainment (IVI) units, EV chargers, and automotive-grade Linux, with exploits targeting Tesla, Sony, ChargePoint, and other vendors. The competition, held in Tokyo from January 21 to 23, 2026, highlighted the persistent insecurity of IT and OT components in vehicles, particularly aftermarket IVI systems and charging infrastructure. The contest revealed that EV chargers, despite improvements, retain a large attack surface, and banned previously known unpatched vulnerabilities from infotainment systems. Vendors have 90 days to develop and release security fixes before disclosure. Team Fuzzware.io secured the top prize with $215,000, followed by Team DDOS ($100,750) and Synacktiv ($85,000). Experts at RSAC 2026 emphasized that modern vehicles are effectively 'computers on wheels,' with attack surfaces expanding alongside connectivity and autonomous driving capabilities. The automotive industry continues to grapple with securing complex systems reliant on millions of lines of code, often developed by disparate suppliers without deep cybersecurity expertise. Regulatory frameworks like UN Regulation No. 155 now mandate cybersecurity assessments and secure development practices for vehicles across 63 countries.

Timeline

  1. 23.01.2026 14:50 3 articles · 2mo ago

    76 Zero-Day Exploits Demonstrated at Pwn2Own Automotive 2026

    The Pwn2Own Automotive 2026 competition concluded with security researchers earning $1,047,000 after exploiting 76 zero-day vulnerabilities. Team Fuzzware.io won the contest with $215,000 in cash awards, followed by Team DDOS with $100,750 and Synacktiv with $85,000. Additional details include Team Fuzzware.io earning an extra $2,500 after a bug collision while attempting to root an Alpine iLX-F511 multimedia receiver. The contest highlighted the insecurities of IT and operational-technology (OT) components of vehicle systems, with a focus on aftermarket in-vehicle infotainment (IVI) systems and electric-vehicle (EV) chargers. Researchers demonstrated that EV chargers, while improved, still possess a large attack surface. The contest also banned specific vulnerabilities that infotainment-system manufacturers had not patched from the previous year. The article reinforces the growing recognition of automotive cybersecurity risks, noting that vehicles are now 'computers on wheels' with expanding attack surfaces due to connectivity and autonomy, a trend highlighted during the RSAC 2026 conference.

    Show sources
    Open in new tab
  2. 22.01.2026 14:30 2 articles · 2mo ago

    29 Zero-Day Exploits Demonstrated on Second Day of Pwn2Own Automotive 2026

    On the second day of Pwn2Own Automotive 2026, security researchers exploited 29 unique zero-days, earning $439,250 in cash awards. Fuzzware.io led the competition with $213,000 earned after the first two days. Additional teams earned significant rewards for exploiting various automotive systems, including the Phoenix Contact CHARX SEC-3150 charging controller, the ChargePoint Home Flex EV charger, the Grizzl-E Smart 40A EV charging station, the Kenwood DNR1007XR navigation receiver, the Alpine iLX-F511 multimedia receiver, Automotive Grade Linux, and the Alpitronic HYC50 charging station. The total number of zero-day vulnerabilities exploited over the first two days reached 66, with researchers earning $955,750 in cash awards.

    Show sources
    Open in new tab
  3. 21.01.2026 14:16 3 articles · 2mo ago

    37 Zero-Day Exploits Demonstrated at Pwn2Own Automotive 2026

    On the first day of the Pwn2Own Automotive 2026 competition, security researchers successfully exploited 37 zero-day vulnerabilities in various automotive systems, including the Tesla Infotainment System, Sony XAV-9500ES, Alpitronic HYC50 Charging Station, Autel charger, Kenwood DNR1007XR, Phoenix Contact CHARX SEC-3150, ChargePoint Home Flex, and Grizzl-E Smart 40A. The vulnerabilities were demonstrated in Tokyo, Japan, during the Automotive World auto conference, from January 21 to January 23, 2026. The researchers earned significant cash rewards for their exploits, with the Synacktiv Team earning $35,000 for hacking the Tesla Infotainment System and $20,000 for the Sony XAV-9500ES. Other teams also earned substantial rewards for exploiting vulnerabilities in various charging stations and navigation systems. Vendors have 90 days to develop and release security fixes before TrendMicro's Zero Day Initiative publicly discloses the flaws.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Global Agencies Release OT Network Security Guidance

The US Cybersecurity and Infrastructure Security Agency (CISA), the UK’s National Cyber Security Centre (NCSC), the Federal Bureau of Investigation (FBI), and international partners have released a new set of security principles aimed at securing operational technology (OT) environments. The guidance addresses the growing risks associated with insecure connectivity in systems that support essential services, providing a framework to help organizations design and manage secure connectivity in OT networks. The document emphasizes the importance of embedding security into network design from the outset to reduce exposure to both highly capable and opportunistic adversaries, including nation-state actors. It highlights the increased interconnection between industrial systems and enterprise networks, which has improved efficiency but expanded the attack surface for cyber threat actors. The guidance was developed in collaboration with multiple international cybersecurity agencies, including ASD’s ACSC, Cyber Centre, BSI, NCSC-NL, and NCSC-NZ. CISA urges OT device manufacturers and integrators to embrace secure-by-design principles to reduce risk and safeguard critical systems.

Open in new tab

Increased ICS Vulnerability Exploits and Hacktivist Activity in 2025

In 2025, cyber threat actors, including both cybercriminals and hacktivists, significantly increased their attacks on industrial control systems (ICS) and operational technology (OT) environments. The number of ICS vulnerability disclosures nearly doubled compared to 2024, with Siemens and Schneider Electric being the most affected vendors. Ransomware attacks also surged, particularly targeting manufacturing and healthcare sectors, while hacktivist groups focused on energy, utilities, and transportation sectors. The report predicts continued targeting of exposed HMI and SCADA systems in 2026.

Open in new tab

Pro-Russia Hacktivists Target Critical Infrastructure with Low-Sophistication Attacks

Pro-Russia hacktivist groups are conducting opportunistic, low-sophistication cyberattacks against U.S., UK, and global critical infrastructure. These attacks target a wide range of sectors, including water treatment facilities, food production, energy systems, and local government bodies, using easily repeatable methods. The groups exploit minimally secured, internet-facing virtual network computing (VNC) connections to gain unauthorized access to operational technology (OT) control devices. The joint advisory from CISA, FBI, NSA, and global partners, along with a recent warning from the UK National Cyber Security Centre (NCSC), urges immediate action to mitigate these threats. The advisory highlights the use of basic methods to target supervisory control and data acquisition (SCADA) networks, sometimes combined with DDoS attacks. The cumulative impact of these activities poses a persistent and disruptive threat to essential services. According to a new report, groups such as Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16 are using simple reconnaissance tools and common password-guessing techniques to reach internet-facing human-machine interfaces. These groups have led to physical impacts in some cases, including temporary loss of view and costly manual recovery efforts. The NCSC warns of continued malicious activity from Russian-aligned hacktivist groups targeting critical infrastructure and local government organizations in the UK with disruptive denial-of-service (DDoS) attacks. The NCSC notes that NoName057(16) operates the DDoSia project, a platform that allows volunteers to contribute computing resources to carry out crowdsourced DDoS attacks and receive monetary rewards or recognition from the community. Operation Eastwood disrupted NoName057(16)'s activity in mid-July 2025 by arresting two members of the group, issuing eight arrest warrants, and taking down 100 servers. Despite these efforts, the group has returned to action, highlighting the evolving threat they pose. Recent developments indicate that attackers are growing more interested in and accustomed to dealing with industrial machines, potentially leading to more sophisticated OT attacks. Ric Derbyshire, principal security engineer at Orange Cyberdefense, will demonstrate 'living-off-the-plant' attacks at the RSA Conference 2026, which require a holistic understanding of the physical process, OT systems, network architecture, security controls, and human interactions.

Open in new tab

Critical vulnerabilities in building automation systems affect global infrastructure

Over 800 vulnerabilities, many zero-day, were found in building automation systems used in 30 countries and 220 cities. These systems, originally developed by American Auto-Matrix in 2008, were acquired by Cylon Controls and later by ABB. The vulnerabilities allow remote takeover of critical infrastructure, including hospitals, airports, and government buildings. The vulnerabilities stem from an 18-year-old codebase that has not undergone security reviews. The affected systems were embedded in facilities operated by major companies, including technology campuses, correctional institutions, and entertainment venues. The vendor, ABB, has made efforts to fix some issues but has not been transparent about the patches and has inconsistently scored the severity of the vulnerabilities.

Open in new tab

73 Zero-day Vulnerabilities Exploited in Pwn2Own Ireland 2025

The Pwn2Own Ireland 2025 hacking competition concluded with security researchers collecting $1,024,750 in cash awards after exploiting 73 zero-day vulnerabilities. The event, held in Cork, Ireland, targeted vulnerabilities in various devices, including smartphones, messaging apps, smart home devices, printers, and more. The Zero Day Initiative (ZDI) operates the event to identify security flaws before threat actors can exploit them. Summoning Team won the competition with 22 Master of Pwn points and $187,500 earned throughout the three-day event. Team ANHTUD secured the second position with $76,750 and 11.5 Master of Pwn points, while Team Synactiv took third place with $90,000 in prizes and 11 Master of Pwn points. The event featured eight categories, including new attack vectors for mobile devices, and offered a $1 million reward for a zero-click WhatsApp exploit. On the first day, researchers demoed 34 unique zero-days and collected $522,500 in cash awards. Team DDOS chained eight zero-day flaws to hack a QNAP Qhora-322 Ethernet wireless router and gain access to a QNAP TS-453E NAS device, earning $100,000. On the second day, researchers exploited 56 unique zero-day vulnerabilities and collected $792,750 in cash awards. Ken Gannon and Dimitrios Valsamaras hacked the Samsung Galaxy S25, earning $50,000 and 5 Master of Pwn points. On the third day, the Samsung Galaxy S25 was hacked by Interrupt Labs via an improper input validation bug, earning 5 Master of Pwn points and $50,000.

Open in new tab