On the opening day of the Pwn2Own Automotive 2025 competition, held in Tokyo from January 22 to 24, participants uncovered and demonstrated 16 unique zero-day vulnerabilities. The total prize money awarded reached an impressive $382,750, with the hacked targets including electric vehicle (EV) charging stations and in-vehicle infotainment (IVI) systems.
One of the most noteworthy achievements was accomplished by the Fuzzware.io team, which successfully exploited vulnerabilities in the Autel MaxiCharger and Phoenix Contact CHARX SEC-3150 charging stations. Using a stack-based buffer overflow and an origin validation error, the team earned $50,000 and 10 points toward the coveted “Master of Pwn” leaderboard.
Meanwhile, researcher Sina Heirha from Summoning Team received $91,750 and 9.25 points for identifying a vulnerability involving a hardcoded cryptographic key and demonstrating a chain of three zero-day exploits in Ubiquiti and Phoenix Contact charging stations (one of which was previously known).
The Synacktiv team earned $57,500 by executing an attack on the ChargePoint Home Flex (CPH50) charging station, where they identified a flaw in the OCPP protocol that allowed signal manipulation via the connector.
The PHP Hooligans team presented a heap-based buffer overflow exploit targeting an Autel charging device, securing a $50,000 reward. Viettel Cyber Security, on the other hand, successfully achieved remote code execution on a Kenwood infotainment system using an OS command injection, earning $20,000.
All vulnerabilities discovered during the competition were disclosed to the manufacturers under a coordinated disclosure process, granting vendors 90 days to release official patches. After this period, the Zero Day Initiative (ZDI) will publish detailed information about the issues.
Pwn2Own Automotive, focused exclusively on automotive technologies, encompasses attacks not only on EV charging stations but also on various in-car systems and the operating systems utilized in the automotive industry, such as Automotive Grade Linux, Android Automotive OS, and BlackBerry QNX.
This year, Tesla provided a setup replicating the hardware of Model 3/Y vehicles based on the Ryzen platform for exploitation. However, attacks were limited to Tesla’s charging station, and no attempts were made on the vehicle’s internal systems.
The first day of the competition underscored the persistent concerns surrounding the security of automotive technologies and EV infrastructure. Organizers reminded attendees of the inaugural Pwn2Own Automotive in January 2024, which featured a prize pool of $1.32 million and saw researchers uncovering a record-breaking 49 vulnerabilities, including flaws in Tesla systems.
Two months later, at Pwn2Own Vancouver 2024, experts earned over $1 million by exposing 29 vulnerabilities across various products. During the event, Synacktiv made headlines by winning $200,000 and a Tesla Model 3 after breaching its electronic control unit (ECU) via the CAN bus in under 30 seconds.
Judging by the results of the first day, this year’s competition promises to be just as fierce. Vendors will need to act swiftly to address emerging threats and protect users from potential risks.
