20260123-bleepingcomputer.com-447f2

< Back to index

Hackers get $1,047,000 for 76 zero-days at Pwn2Own Automotive 2026

Published:

23 January 2026 at 12:50:11

Alert date:

23 January 2026 at 13:01:37

Source:

bleepingcomputer.com

Zero-Day Vulnerabilities, Mobile & IoT, Critical Infrastructure

Security researchers earned $1,047,000 at Pwn2Own Automotive 2026 by successfully exploiting 76 zero-day vulnerabilities during the three-day competition held January 21-23, 2026. The contest focused on automotive security systems and connected vehicle technologies. Multiple teams demonstrated critical vulnerabilities in various automotive platforms and components. The high payout reflects the severity and number of previously unknown security flaws discovered. This represents a significant security research achievement highlighting vulnerabilities in modern automotive systems.

Technical details

Security researchers exploited 76 zero-day vulnerabilities across automotive systems including in-vehicle infotainment (IVI) systems, electric vehicle (EV) chargers, and car operating systems like Automotive Grade Linux. Attacks included out-of-bounds write flaws combined with information leaks, USB-based attacks on Tesla Infotainment System, and exploitation of various EV charging controllers and stations.

Mitigation steps:

Vendors have 90 days from the contest to develop and release security fixes for the zero-day vulnerabilities that were exploited and reported during the Pwn2Own contest before TrendMicro's Zero Day Initiative publicly discloses them.

Affected products:

Alpitronic HYC50 Charging Station
Autel charger
Kenwood DNR1007XR navigation receiver
Phoenix Contact CHARX SEC-3150 charging controller
ChargePoint Home Flex EV charger
Grizzl-E Smart 40A EV charging station
Alpine iLX-F511 multimedia receiver
Tesla Infotainment System
Automotive Grade Linux

Related CVE's:

Related threat actors:

Team Fuzzware.io

Team DDOS

Synactiv

IOC's:

This article was created with the assistance of AI technology by Perceptive.