In a world where cybersecurity is a constant battle, the Pwn2Own Automotive hacking contest shines a spotlight on the vulnerabilities lurking within our automotive technologies. This year's edition, held in Tokyo, Japan, from January 21 to 23, has already seen some jaw-dropping exploits and impressive cash rewards.
On day two, security researchers demonstrated their skills by exploiting a staggering 29 unique zero-day vulnerabilities, earning themselves a collective $439,250 in the process. But here's where it gets controversial: these exploits targeted fully patched electric vehicle (EV) chargers, in-vehicle infotainment systems, and even car operating systems like Automotive Grade Linux.
Fuzzware.io, currently leading the competition's leaderboard, has already earned an impressive $213,000 after just two days. Their hacking prowess was on full display as they successfully compromised the Phoenix Contact CHARX SEC-3150 charging controller, the ChargePoint Home Flex EV charger, and the Grizzl-E Smart 40A EV charging station, bagging an additional $95,000 in the process.
Sina Kheirkhah of Summoning Team and Rob Blakely of Technical Debt Collectors, along with Hank Chen of InnoEdge Labs, also made significant contributions, each earning $40,000 for their zero-day exploit chains targeting Automotive Grade Linux and the Alpitronic HYC50 charging station.
After the first two days, the security researchers have collectively earned a whopping $955,750 in cash awards, having exploited a total of 66 zero-day vulnerabilities. But the competition is far from over, and day three promises more exciting challenges.
The Grizzl-E Smart 40A will once again be in the spotlight as Slow Horses of Qrious Secure and the PetoWorks team attempt to exploit it. Meanwhile, the Juurin Oy team will set their sights on the Alpitronic HYC50, and Ryo Kato will try to crack the Autel MaxiCharger.
On day one, the Synacktiv Team demonstrated their expertise by chaining an information leak and an out-of-bounds write flaw to obtain root permissions on the Tesla Infotainment System via a USB-based attack, earning them $35,000. They followed this up with another $20,000 for chaining three zero-day flaws to gain root-level code execution on the Sony XAV-9500ES digital media receiver.
The full schedule for day two and the results of each challenge can be found on the official website. The complete schedule for Pwn2Own Automotive 2026 is also available, providing a glimpse into the intense competition ahead.
Last year's Pwn2Own Automotive competition saw hackers collect a substantial $886,250 after exploiting 49 zero-days. The year before, during the Pwn2Own Automotive 2024 contest, they took home an even more impressive $1,323,750 after demonstrating 49 zero-day bugs and hacking a Tesla car twice.
Vendors have 90 days to develop and release security fixes for the zero-day flaws exploited and reported during the Pwn2Own contest before the Zero Day Initiative publicly discloses them. This gives them a crucial window to address these vulnerabilities and enhance the security of their automotive technologies.
As we head into 2026, it's clear that cybersecurity budgets and strategies are more important than ever. A recent report, the 2026 CISO Budget Benchmark, provides valuable insights into how top leaders are allocating their resources and turning investment into measurable impact.
So, what do you think? Are these hacking contests a necessary evil to expose vulnerabilities and improve security, or do they pose a significant risk? Join the discussion and share your thoughts in the comments below!
