Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/CyberSecurity News/Hackers Earned $516,500 for 37 Unique 0-day Vulnerabilities – Pwn2Own Automotive 2026
CyberSecurity News

Hackers Earned $516,500 for 37 Unique 0-day Vulnerabilities – Pwn2Own Automotive 2026

On its first day, Pwn2Own Automotive 2026 awarded $516,500 USD for the disclosure of 37 zero-day vulnerabilities. This brings the event’s cumulative total to $955,750 USD across 66 unique...

Sarah simpson
Sarah simpson
January 22, 2026 3 Min Read
36 0

On its first day, Pwn2Own Automotive 2026 awarded $516,500 USD for the disclosure of 37 zero-day vulnerabilities. This brings the event’s cumulative total to $955,750 USD across 66 unique vulnerabilities, underscoring the automotive sector’s substantial attack surface.

The competition showcased exploits targeting multiple vehicle subsystems, including in-vehicle infotainment (IVI) systems, EV charging stations, and embedded Linux environments.

Researchers successfully demonstrated command injection flaws, buffer overflows, authentication bypasses, and privilege escalation vulnerabilities across devices manufactured by Alpine, Kenwood, Phoenix Contact, Alpitronic, and Autel.

Fuzzware.io emerged as a commanding leader in the Master of Pwn standings, demonstrating technical sophistication through complex vulnerability chains.

the final day of the contest brings (source : zerodayinitiative )
The final day of the contest brings (source: zerodayinitiative )

Combining command injection vulnerabilities with protocol manipulation add-ons to maximize points.

The team exploited multiple bugs in the Phoenix Contact CHARX SEC-3150 and ChargePoint Home Flex (CPH50-K) systems.

DDoS attack targeting the Phoenix Contact CHARX SEC‑3150 via signal manipulation (source : zerodayinitiative )
DDoS attack targeting the Phoenix Contact CHARX SEC‑3150 via signal manipulation (source: zerodayinitiative )

Their strategy of chaining multiple vulnerabilities reflects advanced exploitation techniques required in modern automotive security research.

Among Day Two’s standout achievements, Rob Blakely of Technical Debt Collectors successfully chained three bugs: an out-of-bounds read, memory exhaustion, and a heap overflow against Automotive Grade Linux, earning $40,000 USD.

This exploit chain demonstrated the criticality of defending open-source automotive platforms used across the industry.

EV Charging Infrastructure Vulnerabilities Exposed

Charging infrastructure emerged as a prominent vulnerability vector, with multiple teams successfully bypassing security on EV charging stations.

Synacktiv exploited a stack-based buffer overflow in the Autel MaxiCharger AC Elite Home 40A. At the same time, the Summoning Team demonstrated command-injection flaws in ChargePoint Home Flex systems.

Targeted the Autel MaxiCharger AC Elite Home 40A (source : zerodayinitiative )
Targeted the Autel MaxiCharger AC Elite Home 40A (source: zerodayinitiative )

These attacks underscore the security implications of rapidly expanding EV charging networks.

The event also documented collision exploits in which multiple teams independently discovered the same vulnerabilities.

Fifteen collision submissions occurred across Day Two, reducing overall prize payouts but validating that specific security flaws are discoverable through multiple research approaches.

Fuzzware.io’s commanding lead suggests the final day may determine the Master of Pwn title, with technical execution and vulnerability discovery speed becoming decisive factors.

According to zerodayinitiative, the cumulative vulnerability count of 66 zero-days across two days highlights the breadth of automotive attack surfaces, from infotainment and charging protocols to embedded operating systems.

Day Three will likely bring additional discoveries as the competition concludes.

The vulnerabilities disclosed at Pwn2Own inform vendor security roadmaps and contribute to industry-wide hardening efforts across connected vehicle platforms.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerSecurityVulnerabilityzero-day

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Attackers Reverse‑Engineer Patch to Exploit SmarterMail Admin Bypass in the Wild

Next Post

Attackers Infrastructure Exposed Using JA3 Fingerprinting Tool

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us