Pwn2Own Automotive 2026 - Day ... Note

Pwn2Own Automotive 2026 - Day One Results

Day One of Pwn2Own Automotive 2026 commenced with thirty entries targeting the latest automotive systems, featuring exploits and security breakthroughs from top researchers. The competition saw significant success across various categories, particularly in exploiting in-vehicle infotainment (IVI) systems and electric vehicle chargers. Several teams, including Neodyme AG and Synacktiv, successfully gained root-level access on IVI units like the Alpine iLX-F511 and Sony XAV-9500ES through vulnerabilities such as buffer overflows and chained exploits. EV chargers proved lucrative targets, with Fuzzware.io, PetoWorks, and others manipulating charging signals or achieving code execution on devices like the Autel charger and Phoenix Contact CHARX SEC-3150, often chaining multiple bugs. Notably, the Grizzl-E Smart 40A charger was successfully exploited multiple times, including a win by SKShieldus using hardcoded credentials and an authentication bypass leading to remote code execution by Compass Security. Some attempts resulted in failure, such as the initial exploit against the Kenwood DNR1007XR and attempts by Fuzzware.io against the EMPORIA Pro Charger. However, subsequent attempts quickly exploited the Kenwood unit through command injection and out-of-bounds writes by other researchers. The competition also included successful collisions where multiple teams exploited the same or similar vulnerabilities, resulting in split rewards and Master of Pwn points. Synacktiv achieved a full win in the Tesla Infotainment category by chaining an information leak and an out-of-bounds write via a USB-based attack. Overall, the day was marked by numerous successful exploits, demonstrating critical vulnerabilities in modern automotive and charging infrastructure components.
CdXz5zHNQW_DCzVPK6hBE.png