The first day of Pwn2Own Automotive 2025 saw security researchers exploit 16 unique zero-day vulnerabilities, earning a total of $382,750 in cash prizes.
Leading the competition is Fuzzware.io, which successfully hacked the Autel MaxiCharger and Phoenix Contact CHARX SEC-3150 electric vehicle (EV) chargers. They used a stack-based buffer overflow and an origin validation error to pull off the attack, securing $50,000 and 10 Master of Pwn points.
Sina Kheirkhah from Summoning Team followed closely, earning $91,750 and 9.25 Master of Pwn points by exploiting a hard-coded cryptographic key in the Ubiquiti charger and a triple zero-day combo (including one previously known bug) in the Phoenix Contact CHARX SEC-3150.
In third place is Team Synacktiv, who demonstrated a vulnerability in the OCPP protocol to hack the ChargePoint Home Flex (Model CPH50) through signal manipulation via the connector. Their efforts earned them $57,500.
Other notable achievements include:
PHP Hooligans, who pocketed $50,000 for exploiting a heap-based buffer overflow in a fully patched Autel charger.
Viettel Cyber Security, earning $20,000 by achieving code execution on the Kenwood In-Vehicle Infotainment (IVI) system through an OS command injection zero-day.
What Happens Next?
Once vulnerabilities are reported during Pwn2Own, vendors are given 90 days to develop and release security patches before Trend Micro's Zero Day Initiative publicly discloses them.
About Pwn2Own Automotive 2025
This year’s competition, focusing on automotive technologies, is being held in Tokyo from January 22 to January 24 as part of the Automotive World conference. Participants are targeting various automotive systems, including:
Electric vehicle chargers
In-vehicle infotainment (IVI) systems
Car operating systems, such as Automotive Grade Linux, Android Automotive OS, and BlackBerry QNX
While Tesla provided a benchtop unit simulating the Model 3/Y (Ryzen-based), researchers have so far only registered attempts against the Tesla Wall Connector.
Previous Successes
In the inaugural Pwn2Own Automotive event in January 2024, researchers earned $1,323,750, hacking Tesla twice and uncovering 49 zero-day vulnerabilities across various electric vehicle systems.
Just two months later, at Pwn2Own Vancouver 2024, hackers bagged $1,132,500, exploiting 29 zero-days. A standout moment came when Team Synacktiv took home $200,000 and a Tesla Model 3 after hacking the ECU via Vehicle (VEH) CAN BUS Control in under 30 seconds.