$439,250 in prizes after exploiting 29 zero-day vulnerabilities: the second day of Pwn2Own Automotive 2026 reveals the fragility of the connected cars

The second day of the Pwn2Own Automotive 2026 competition left an impressive billing for the bug hunters: $439,250 in prizes after exploiting 29 different zero-day vulnerabilities. The competition, held from 21 to 23 January in Tokyo in the framework of the conference Automotive World, re-focus on the security of the systems that today move and load the electric cars and their multimedia centers.

In Pwn2Own Automotive the equipment is faced with fully-parked devices: electric vehicle loading stations, information and entertainment systems (IVI) and automotive operating systems such as Automotive Grade Linux. The purpose is not only to win cash prizes, but to force the identification and correction of failures that, in the real world, could result in risks to the privacy or even physical safety of drivers and passengers. The organization makes available the record of results and technical details; the summary of the second day is available on the initiative blog Zero Day Initiative (ZDI) where the dynamics and criteria of the competition are also explained.

After the first two days, fuzzware.io leads the classification with 213,000 dollars accumulated, part of which came from successful attacks against controllers and cargo stations such as the Phoenix Contact CHARX SEC-3150, the ChargePoint Home Flex and the Grizzl-E Smart 40A. Other teams have highlighted for the diversity of objectives and the complexity of their operating chains: Sina Kheirkhah, of the Summoning Team, took $40,000 by getting root privileges on multimedia receivers and browsers (including the Kenwood DNR1007XR and the Alpine iLX-F511) and also compromising a ChargePoint charger. Similarly, Rob Blakely (Technical Debt Collectors) and Hank Chen (InnoEdge Labs) obtained $40,000 each for demonstrating fault chains that affect Automotive Grade Linux and the Alpitonic HYC50 loading station.

The sum of what was achieved in the first two days amounts to $955,750 distributed after the exploitation of 66 zero-day vulnerabilities, which confirms the density of critical failures that still persist in the connected automotive ecosystem. The full detail of the schedule and the objectives of the competition is published by ZDI in its event programming ( consult calendar), and provides context on which manufacturers and models are the subject of each challenge.

The third day continued with planned attacks against specific stations: the Grizzl-E Smart 40A will again be targeted by teams such as Slow Horses of Qrious Secure and PetoWorks, Juurin Oy will try to compromise the Alpitonic HYC50 and Ryo Kato will go for the MaxiCharger Atel. These repetitions are not casual: in many cases they are about validating alternative attack vectors, confirming the reproducibility of the exploits and exploring whether the same vulnerability can be exploited from different angles (e.g., physical interface to network).

To understand why Pwn2Own matters, it should be remembered that the failures discovered here are not published immediately in an open way. The manufacturers concerned have 90 days to develop and distribute patches After notification, a time frame that forms part of the responsible coordinated outreach process led by the ZDI and other initiatives dedicated to improving security through research incentives. This mechanism seeks to balance the urgency of correcting errors with the need for suppliers to deliver technically complete solutions, preventing the failures from being exposed without remedy to users and operators. More information on the philosophy and rules of the program is available on the website of the Zero Day Initiative.

The model of paid competitions offers several practical advantages: it attracts highly qualified researchers who test real scenarios on hardware and commercial software, forces manufacturers to take seriously the safety of products that integrate networks and sensors, and accelerates the availability of patches. However, it also reveals that the transition to connected vehicles and intelligent recharge infrastructure has introduced a new layer of complexity and attack area that many companies are still learning to manage.

These events have been showing a constant tone for years: modern automotive systems combine third-party components, inherited embedded software and increasingly sophisticated network connections, which multiplies the vectors by which an attacker could access critical functions. In this context, initiatives such as Pwn2Own serve as public and constructive stress tests that pressure industry to raise its safety level.

If you are interested in following the results and the mitigations announced by manufacturers and organizers, the summaries of the contest and the official ZDI releases are a good starting point ( results of day 2 and full programme). For industry and users, the lesson is clear: connectivity brings comfort, but it also forces to incorporate security as a design requirement, not as a back patch.