Pwn2Own Automotive 2026: Hackers Cash In Nearly Half a Million Dollars on Day Two

The world of automotive cybersecurity is under the microscope as Pwn2Own Automotive 2026 continues in Tokyo, Japan. This elite hacking contest, held from January 21 to 23 alongside the Automotive World conference, challenges researchers to exploit vulnerabilities in electric vehicle (EV) infrastructure, infotainment systems, and car operating systems. The stakes are high: fully patched systems, including Automotive Grade Linux platforms, EV chargers, and in-vehicle multimedia units, are being targeted with sophisticated zero-day exploits—and the payouts are just as impressive.

On the second day alone, security researchers earned $439,250 after uncovering 29 unique zero-day vulnerabilities. Fuzzware.io leads the leaderboard, collecting $213,000 in the first two days and an additional $95,000 for exploiting the Phoenix Contact CHARX SEC-3150, the ChargePoint Home Flex, and the Grizzl-E Smart 40A EV chargers. Meanwhile, Sina Kheirkhah of Summoning Team claimed $40,000 by rooting the Kenwood DNR1007XR navigation receiver, the ChargePoint Home Flex, and the Alpine iLX-F511 multimedia receiver. Not far behind, Rob Blakely of Technical Debt Collectors and Hank Chen of InnoEdge Labs each earned $40,000, demonstrating zero-day exploit chains against Automotive Grade Linux and the Alpitronic HYC50 charging station.

In total, after the first two days of Pwn2Own Automotive 2026, researchers have amassed $955,750 by exploiting 66 zero-day vulnerabilities. Day three promises more action: the Grizzl-E Smart 40A will face attacks from Slow Horses of Qrious Secure and PetoWorks, Juurin Oy will target the Alpitronic HYC50, and Ryo Kato will attempt to breach the Autel MaxiCharger. The first day alone saw Synacktiv Team earn $35,000 by chaining an information leak with an out-of-bounds write to gain root on a Tesla Infotainment System via USB, plus $20,000 for exploiting three zero-days on the Sony XAV-9500ES media receiver.

Pwn2Own Automotive has grown into a crucial testing ground for EV and automotive security. Last year, hackers collected $886,250 after exploiting 49 zero-days, while in 2024, payouts exceeded $1.3 million for 49 vulnerabilities and two Tesla hacks. Vendors have 90 days to release patches for disclosed zero-days before the TrendMicro Zero Day Initiative publishes full technical details.

What Undercode Say:

Pwn2Own Automotive is more than just a cash competition—it’s a real-time stress test for the automotive industry. The rapid accumulation of zero-day exploits demonstrates that modern EV and infotainment systems remain fertile ground for attackers, even when fully patched. This highlights the growing complexity of connected vehicles and the challenge of keeping hardware and software secure.

The contest also underscores the role of specialized security research teams. Companies like Fuzzware.io and Summoning Team are not just participating for prizes—they are actively shaping security standards by uncovering flaws that manufacturers may never have identified internally. The sheer volume of exploits—66 zero-days in two days—signals that even sophisticated systems are vulnerable to multi-stage attack chains that combine information leaks, memory corruption, and privilege escalation.

EV charging infrastructure has emerged as a particularly lucrative target. With more households adopting home EV chargers, each device represents a potential entry point for attackers seeking access to smart grids or vehicle networks. Similarly, infotainment systems remain a weak link. Rooting a multimedia unit or navigation system can provide a foothold into a vehicle’s internal network, offering attackers control over sensitive data and potentially influencing vehicle behavior.

The evolving threat landscape requires a multi-layered approach to cybersecurity. Manufacturers can no longer rely solely on patch cycles—they must incorporate proactive testing, continuous monitoring, and collaboration with ethical hackers. Pwn2Own acts as a bridge between theoretical research and practical impact, compressing what might take months of internal security testing into days of controlled exposure.

Another important trend is the speed of payout versus patch deployment. Researchers are incentivized to disclose exploits quickly, but vendors are under a 90-day clock to fix critical flaws. This system ensures that vulnerabilities are not only discovered but also responsibly remediated, creating a feedback loop that strengthens the security ecosystem while keeping attackers outside the controlled competition.

The prominence of zero-day exploits against Automotive Grade Linux also indicates that open-source platforms, while flexible and cost-effective, carry unique risks. A single vulnerability in shared libraries or kernel modules can have cascading effects across multiple vendors and devices. Teams like Technical Debt Collectors and InnoEdge Labs exemplify the skills required to navigate this complex landscape, using chained exploits to reveal hidden risks before they become public threats.

From a strategic standpoint, Pwn2Own also drives innovation in defensive security. Vendors are increasingly investing in threat modeling, fuzzing tools, and intrusion detection systems that can simulate the creativity of elite hackers. Over time, this contest not only rewards attackers but indirectly strengthens the resilience of automotive technology.

Fact Checker Results:

✅ Total payouts and zero-day counts match official Pwn2Own Automotive 2026 reports.

✅ Vendors have 90 days to patch zero-days before public disclosure, as confirmed by TrendMicro ZDI.

✅ Day-one Tesla and Sony exploits were accurately reported by multiple security news outlets.

Prediction:

🚗 Expect EV charger and infotainment exploits to become even more lucrative as adoption grows.
💻 Open-source automotive platforms like AGL will continue to be high-priority targets.
💰 Payouts for future Pwn2Own Automotive contests may surpass $2 million as complexity and stakes rise.