LmCast :: Stay tuned in

Hackers exploit 29 zero-days on second day of Pwn2Own Automotive

Recorded: Jan. 22, 2026, 1:03 p.m.

Original Summarized

Hackers exploit 29 zero-days on second day of Pwn2Own Automotive

News

Featured
Latest

Fake Lastpass emails pose as password vault backup alerts

Microsoft shares workaround for Outlook freezes after Windows update

Fortinet admins report patched FortiGate firewalls getting hacked

Hackers exploit security testing apps to breach Fortune 500 firms

Hackers exploit 29 zero-days on second day of Pwn2Own Automotive

A lifetime subscription to the Mondly language app is now only $8

Hackers breach Fortinet FortiGate devices, steal firewall configs

Zendesk ticket systems hijacked in massive global spam wave

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityHackers exploit 29 zero-days on second day of Pwn2Own Automotive

Hackers exploit 29 zero-days on second day of Pwn2Own Automotive

By Sergiu Gatlan

January 22, 2026
07:30 AM
0

On the second day of Pwn2Own Automotive 2026, security researchers collected $439,250 in cash awards after exploiting 29 unique zero-days.
The Pwn2Own Automotive hacking contest focuses on automotive technologies and takes place this week in Tokyo, Japan, from January 21 to January 23, during the Automotive World auto conference.
Throughout the competition, security researchers target fully patched electric vehicle (EV) chargers, in-vehicle infotainment (IVI) systems, and car operating systems (e.g., Automotive Grade Linux).

Fuzzware.io currently leads the competition's leaderboard with $213,000 earned after the first two days, and has earned another $95,000 by hacking the Phoenix Contact CHARX SEC-3150 charging controller, the ChargePoint Home Flex EV charger, and the Grizzl-E Smart 40A EV charging station.
Sina Kheirkhah of Summoning Team collected another $40,000 after rooting the Kenwood DNR1007XR navigation receiver, the ChargePoint Home Flex, and the Alpine iLX-F511 multimedia receiver.
Rob Blakely of Technical Debt Collectors and Hank Chen of InnoEdge Labs were also awarded $40,000 each after demonstrating zero-day exploit chains targeting Automotive Grade Linux and the Alpitronic HYC50 charging station.
After the first two days of the contest, security researchers have earned $955,750 in cash awards after exploiting 66 zero-day vulnerabilities.

Pwn2Own Automotive Day 2 leaderboard (ZDI)
On the third day of Pwn2Own, the Grizzl-E Smart 40A will be targeted again by Slow Horses of Qrious Secure and the PetoWorks team, while the Juurin Oy team will go after the Alpitronic HYC50, and Ryo Kato will attempt to exploit the Autel MaxiCharger.
On the first day, Synacktiv Team earned $35,000 after successfully chaining an information leak and an out‑of‑bounds write flaw to obtain root permissions on the Tesla Infotainment System via a USB-based attack and an additional $20,000 cash award for chaining three zero-day flaws to gain root-level code execution on the Sony XAV-9500ES digital media receiver.
The full schedule for the second day and the results for each challenge are available here, while the complete schedule for Pwn2Own Automotive 2026 is available here.
During last year's Pwn2Own Automotive competition, hackers collected $886,250 after exploiting 49 zero-days. The previous year, during the Pwn2Own Automotive 2024 contest, they collected another $1,323,750 after demoing 49 zero-day bugs and hacking a Tesla car twice.
Vendors have 90 days to develop and release security fixes for zero-day flaws that are exploited and reported during the Pwn2Own contest, before TrendMicro's Zero Day Initiative publicly discloses them.

Secrets Security Cheat Sheet: From Sprawl to Control
Whether you're cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.
Get the cheat sheet and take the guesswork out of secrets management.
Download Now

Related Articles:
Tesla hacked, 37 zero-days demoed at Pwn2Own Automotive 2026Zeroday Cloud hacking event awards $320,0000 for 11 zero daysVMware ESXi zero-days likely exploited a year before disclosureCisco fixes Unified Communications RCE zero day exploited in attacksFortinet admins report patched FortiGate firewalls getting hacked

Automotive
Exploit
Hacking
Pwn2Own
Zero-Day

Sergiu Gatlan
Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips.

Previous Article

Post a Comment Community Rules

You need to login in order to post a comment
Not a member yet? Register Now

You may also like:

Popular Stories

Fortinet admins report patched FortiGate firewalls getting hacked

Ingram Micro says ransomware attack affected 42,000 people

New PDFSider Windows malware deployed on Fortune 100 firm's network

Sponsor Posts

Discover how phishing kits are sold and deployed. Download the full research report.

Identity Governance & Threat Detection in one: Get a guided tour of our platform

Discover how to scale IT infrastructure reliably without adding toil or burnout.

  Upcoming Webinar

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now


Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Hackers exploited 29 zero-days during the second day of the Pwn2Own Automotive 2026 competition, resulting in a total of $439,250 in cash awards. This event, held in Tokyo, Japan, from January 21 to January 23, focused on vulnerabilities within automotive technologies. The contest, organized by Trend Micro’s Zero Day Initiative (ZDI), targets electric vehicle (EV) chargers, in-vehicle infotainment (IVI) systems, and car operating systems like Automotive Grade Linux.

The overall competition leaderboard, currently dominated by Fuzzware.io, showcased significant financial rewards for successful exploitation. Fuzzware.io secured $213,000 through targeting the Phoenix Contact CHARX SEC-3150 charging controller, the ChargePoint Home Flex EV charger, and the Grizzl-E Smart 40A EV charging station. Sina Kheirkhah of Summoning Team earned $40,000 by rooting the Kenwood DNR1007XR navigation receiver, the ChargePoint Home Flex, and the Alpine iLX-F511 multimedia receiver. Furthermore, Rob Blakely of Technical Debt Collectors and Hank Chen of InnoEdge Labs were awarded $40,000 each for chaining zero-day exploit chains targeting Automotive Grade Linux and the Alpitronic HYC50 charging station.

The competition’s second day witnessed a further $955,750 distributed across various exploits. Notably, Synacktiv Team earned $35,000 for chaining an information leak and an out-of-bounds write flaw to obtain root permissions on the Tesla Infotainment System via a USB-based attack, with an additional $20,000 awarded for chaining three zero-day flaws to gain root-level code execution on the Sony XAV-9500ES digital media receiver. This highlights the critical vulnerabilities present in commonly used automotive entertainment systems.

Looking back at the first day’s results, the total awarded was $955,750, encompassing a significant number of zero-day vulnerabilities. This underscores the ongoing efforts within the cybersecurity community to identify and address weaknesses in automotive systems.

Vendors are given 90 days to develop and release security patches following the identification of these zero-day vulnerabilities, a standard practice overseen by ZDI. This timeline reflects the urgency in mitigating these risks. The 2026 competition builds upon a history of similar events, with previous contests yielding substantial rewards – $886,250 in 2024 and $1,323,750 in 2024. This provides a valuable benchmark for assessing the ongoing security landscape within the automotive industry.

The success of the event demonstrates the importance of bug bounty programs, incentivizing security researchers to proactively identify and report vulnerabilities before they can be exploited by malicious actors. The competition contributes directly to improving automotive security, pushing vendors to prioritize and rapidly address discovered flaws, ultimately enhancing the safety and security of vehicles and their occupants.