The safety of the car in check a million forty-seven thousand dollars and seventy-six vulnerabilities day zero in Pwn2Own Automotive two thousand twenty-six

The 2026 edition of Pwn2Own Automotive closed this week in Tokyo with a striking figure: security researchers took together $1,047,000 after demonstrating the exploitation of 76 zero-day vulnerabilities between 21 and 23 January. The event, which was held during the conference Automotive World again focused on the safety of connected vehicles and the infrastructure around them.

Pwn2Own Automotive is a competition organized by the Zero Day Initiative (ZDI) that challenges research teams to find and demonstrate failures in real systems, both in cars and in related peripherals. In this edition the objectives included up-to-date infoentertainment systems, electric vehicle chargers and car-oriented operating systems, such as Automotive Grade Linux. The philosophy behind the competition is practical: to demonstrate failures under controlled conditions and to force manufacturers to correct them before their public disclosure. According to ZDI policy, manufacturers have 90 days to publish patches since a vulnerability is reported discovered in the contest; this margin seeks to balance the safety of the end user with the need for repair by the supplier. More details on the results and the schedule are available in the ZDI reports on the contest: Summary of day three and full programming.

Beyond the economic owner, what concerns industry is the type of vectors that were exploited. Infoentertainment systems (IVI) are becoming more and more powerful and accessible: they support USB ports, wireless connectivity and third-party applications, making them an ideal entry point for climbing attacks to more critical vehicle domains. For their part, electric vehicle loaders (EV) are not simple smart plugs; many integrate controllers, network interfaces and management panels that can be attacked to interrupt recharge, manipulate billing or, in extreme scenarios, affect local electrical availability. The demonstration of 76 vulnerabilities in just three days is a reminder that the attack surface in the automotive ecosystem continues to grow as much as the complexity of its components does.

On the prize podium, the team Fuzzware.io was raised with the first post and $215,000 after a series of successful demonstrations. Its objectives included stations and load controllers such as the Alpitronic HYC50 and brand devices such as Autel, as well as multimedia receivers such as the Kenwood DNR1007XR. On the second day they expanded their streak on industrial controllers and domestic loaders - including a failure in the Phoenix Contact CHARX SEC-3150 driver, as well as in ChargePoint Home Flex and Grizzl-E stations - and ended up with a small additional reward for a bug collision by trying to roote an iLX-F511 Alpine receptor. Other teams such as DDOS and Synactiv also took important awards; Synacktiv, for example, chained an off-limits writing with a leak of information to compromise Tesla's infoentertainment system through a USB attack. These details and complete evidence can be found in ZDI's report on the days of the competition ( ZDI: Day Three Results).

Participation like this serves two things at the same time: they reveal the real weaknesses that exist today and create effective pressure on manufacturers to invest in patches and best safe development practices. However, the simple existence of a patch not on demand is not enough: the automotive industry must ensure that updates reach vehicles and equipment on the ground, ideally through safe OTA (over-the-air) mechanisms, and separate critical silos functions that make it difficult to move side after first intrusion. The management of dependencies, the review of third party components and the adoption of controls such as firmware signature and safe start are measures that become more important as the car becomes one more node of the network.

From the user and operator perspective, these tests show that safety is no longer an exclusive issue for the manufacturer: workshops, fleet managers and owners should require transparency on how updates are managed and what guarantees exist for the isolation of critical systems. For cities and infrastructure operators, vulnerabilities in EV chargers involve operational and economic risks that require coordination between manufacturers, energy providers and regulators.

Contests like Pwn2Own function as a security accelerator: they encourage those who discover failures to report them responsibly rather than selling exploits in grey markets, and generate useful data to prioritize corrections. But the money prize is not true success: the real value is that those vulnerabilities cease to exist in real equipment that circulate or supply energy. The responsibility now lies with manufacturers and system integrators to transform these findings into effective updates and continuous audits.

If you want to deepen the results and techniques demonstrated during the event, ZDI's official reports are the best primary source: Summary of the closure of the competition and full programming they offer lists of objectives, descriptions of the techniques used and the timing of disclosure to manufacturers.

The lesson for 2026 is clear: as mobility and electrification advance at high speed, cybersecurity must be an early and sustained priority. Investing in safe design, reliable updating processes and transparency in failure disclosure is not optional; it is essential to protect users, fleets and infrastructure that supports electrical mobility.