As an automotive cybersecurity leader, VicOne delivers threat intelligence and security insights tailored to the specialized needs of the modern mobility ecosystem. The VicOne Situational Awareness Report in Q2 2026 examines observed cybersecurity incidents, ransomware activity, Common Weakness Enumeration (CWE) findings, and AI-related risks from April through June 2026.
Q2 2026 Highlights
VicOne observed 477 automotive-related cybersecurity incidents in Q2 2026, an almost 20% increase from Q1.
With 245 incidents, the Americas overtook Europe (113) as the region with the highest reported volume.
Ransomware activity declined to 160 incidents from 180 in Q1, but logistics and transportation still accounted for 40% of Q2 ransomware activity.
Injection-related CWEs led the overall weakness ranking in Q2, while AI-related signals showed how risk can surface through ECU modification tools and attacker adaptation to AI-assisted security workflows.
Threat landscape
VicOne tracked 477 automotive-related cybersecurity incidents in Q2 2026, up from 405 in Q1, representing a 17.8% quarter-over-quarter increase. This rise was accompanied by a notable change in regional distribution.
Regional distribution
![]()
Figure 1. Regional distribution of observed automotive cybersecurity incidents in Q1 and Q2 2026
The Americas became the region with the highest number of reported incidents, increasing from 140 to 245, a spike that accounted for over 51% of all Q2 incidents. Europe, which recorded the highest volume in Q1, saw incidents decline from 161 to 113. Europe is followed by Asia (68), while other regions accounted for a smaller share of observed activity.
Domain distribution
Across affected domains, enterprise IT systems remained the most affected, with incidents increasing from 210 in Q1 to 230 in Q2. In-vehicle systems recorded the largest increase, rising from 129 incidents in Q1 to 168 in Q2. This was followed by operational technology systems (31), charging infrastructure (28), connected vehicle backend services (18), and vehicle companion apps (2). No affected domain recorded a quarter-over-quarter decline.
![]()
Figure 2. Q2 incidents remained concentrated in enterprise IT, with stronger growth across vehicle-adjacent domains.
Several Q2 incidents illustrate how cybersecurity risk can span both operational platforms and in-vehicle systems.
April 3, 2026: a fleet management software provider confirmed a disruption affecting one of its platforms, which impacted access to fleet dashboards, vehicle tracking, and maintenance scheduling for customers in the UK and US.
June 13, 2026: Research demonstrated that a 2021 vehicle’s infotainment system accepted USB software updates signed with publicly available Android Open Source Project (AOSP) test keys, allowing unauthorized software installation through physical access to the vehicle’s USB port. They dubbed the technique “EvilValet,” likening it to a malicious valet gaining access to the vehicle.
In the Overlap Era, incidents like these show how a weakness or disruption in one part of the automotive ecosystem can create operational, security, or compliance implications elsewhere.
Ransomware activities
Ransomware activity in Q2 2026 remained active across the automotive ecosystem, with the data showing differences in both actor distribution and affected industries.
Ransomware activity and group distribution
In Q2 2026, ransomware activity affecting the automotive industry declined to 160 incidents, compared to 180 in Q1. However, activity accelerated toward the end of the quarter. After dropping from 53 incidents in April to 46 in May, ransomware incidents rebounded to 61 in June, the quarter’s highest monthly total.
![]()
Figure 3. Monthly ransomware activity affecting the automotive industry in Q2 2026
Qilin was the most active named group with 15 incidents. A few of their activities included claimed attacks against an automotive retail and distribution network in Ukraine in May 2026 and a car OEM’s subsidiary in Thailand in June 2026. The group was followed closely by The Gentlemen (14), LockBit (12), and Akira (11).
![]()
Figure 4. Distribution of Q2 ransomware activity by named group
Activity was also distributed across smaller groups, including DeadLock, DragonForce, Safepay, Aur0ra, INC Ransom, and NightSpire. The Other category still accounted for 81 incidents, or over half of the quarter’s ransomware activity, showing that Q2 activity was not driven by a single dominant actor.
Ransomware victimology by industry
In Q2, ransomware activity remained concentrated in logistics and transportation, with 64 incidents accounting for 40% of all ransomware activity. This was followed by suppliers (35), dealers and retailers (27), and OEMs (19).
![]()
Figure 5. Logistics and transportation accounted for the largest share of Q2 ransomware incidents, reflecting continued exposure across fleet and supply chain operations.
While overall ransomware activity declined quarter over quarter, logistics and transportation still increased from 61 incidents in Q1 to 64 in Q2, making it a more prominent target within the quarter’s victimology.
The concentration on logistics and transportation aligns with VicOne CyberThreat Research Lab’s recent analysis: ransomware risk can extend beyond endpoint encryption and disrupt the connected platforms that coordinate fleet operations. Cyber resilience in this industry requires visibility across both corporate IT and the infrastructure that keeps vehicles, cargo, and routes moving.
CWE analysis
The Q2 CWE data shows a different weakness profile from the previous quarter, with injection-related issues becoming more prominent in the overall ranking. While this comparison should be read as a quarterly snapshot rather than a long-term trend, the results show that automotive cybersecurity weaknesses persist across both enterprise-facing systems and vehicle-adjacent technologies.
Overall CWE trends: Q2 2026 vs. Q1 2026
Compared with Q1, which was more concentrated around authentication, session management, and credential protection, Q2 reflected greater visibility into input-handling and injection risks.
| Top CWEs in Q2 2026 | Count | Top CWEs in Q1 2026 | Count |
| CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 24 | CWE-306: Missing Authentication for Critical Function | 18 |
| CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | 14 | CWE-613: Insufficient Session Expiration | 14 |
| CWE-121: Stack-based Buffer Overflow | 8 | CWE-307: Improper Restriction of Excessive Authentication Attempts | 11 |
| CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 8 | CWE-522: Insufficiently Protected Credentials | 11 |
| CWE-306: Missing Authentication for Critical Function | 5 | CWE-416: Use After Free | 10 |
| CWE-754: Improper Check for Unusual or Exceptional Conditions | 5 | CWE-121: Stack-based Buffer Overflow | 7 |
| CWE-770: Allocation of Resources Without Limits or Throttling | 4 |
Table 1. Top CWE entries observed in Q2 2026 vs Q1 2026
Charging infrastructure vulnerabilities
Compared to Q1, where the leading weaknesses were concentrated around authentication, session expiration, excessive authentication attempts, and credential protection, the charging infrastructure vulnerabilities in Q2 were more distributed across several lower-frequency weakness types. This suggests that observed charging infrastructure issues were not centered on a single weakness family, reinforcing the need to secure access control, default configurations, software update integrity, and system-level command handling.
| Top Charging Infrastructure CWEs in Q2 2026 | Count | Top Charging Infrastructure CWEs in Q1 2026 | Count |
| CWE-121: Stack-based Buffer Overflow | 2 | CWE-306: Missing Authentication for Critical Function | 13 |
| CWE-1188: Initialization of a Resource with an Insecure Default | 1 | CWE-613: Insufficient Session Expiration | 12 |
| CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | 1 | CWE-307: Improper Restriction of Excessive Authentication Attempts | 11 |
| CWE-269: Improper Privilege Management | 1 | CWE-522: Insufficiently Protected Credentials | 11 |
| CWE-287: Improper Authentication | 1 | CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | 6 |
| CWE-306: Missing Authentication for Critical Function | 1 | CWE-863: Incorrect Authorization | 5 |
| CWE-307: Improper Restriction of Excessive Authentication Attempts | 1 | CWE-416: Use After Free | 3 |
| CWE-494: Download of Code Without Integrity Check | 1 | CWE-770: Allocation of Resources Without Limits or Throttling | 3 |
| CWE-522: Insufficiently Protected Credentials | 1 | CWE-121: Stack-based Buffer Overflow | 2 |
| CWE-540: Inclusion of Sensitive Information in Source Code | 1 | CWE-125: Out-of-bounds Read | 2 |
| CWE-613: Insufficient Session Expiration | 1 | CWE-284: Improper Access Control | 2 |
| CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | 1 | CWE-400: Uncontrolled Resource Consumption | 2 |
| CWE-787: Out-of-bounds Write | 2 |
Table 2. Top charging infrastructure CWE entries observed in Q2 2026 compared to Q1 2026
In-vehicle system vulnerabilities
In Q2 2026, vehicle system vulnerabilities also showed a broader spread of CWEs. The Q2 list covered software robustness, memory safety, authentication, cryptography, and failure-state behavior. This breadth is significant for in-vehicle environments, where software flaws can affect diagnostics, communications, update flows, and other vehicle-adjacent functions.
| Top In-Vehicle CWEs in Q2 2026 | Count | Top In-Vehicle CWEs in Q1 2026 | Count |
| CWE-754: Improper Check for Unusual or Exceptional Conditions | 4 | CWE-416: Use After Free | 6 |
| CWE-121: Stack-based Buffer Overflow | 3 | CWE-121: Stack-based Buffer Overflow | 4 |
| CWE-1390: Weak Authentication | 3 | CWE-1241: Use of Predictable Algorithm in Random Number Generator | 1 |
| CWE-248: Uncaught Exception | 3 | CWE-288: Authentication Bypass Using an Alternate Path or Channel | 1 |
| CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | 2 | CWE-294: Authentication Bypass by Capture-replay | 1 |
| CWE-125: Out-of-bounds Read | 2 | CWE-295: Improper Certificate Validation | 1 |
| CWE-191: Integer Underflow (Wrap or Wraparound) | 2 | CWE-306: Missing Authentication for Critical Function | 1 |
| CWE-294: Authentication Bypass by Capture-replay | 2 | CWE-319: Cleartext Transmission of Sensitive Information | 1 |
| CWE-307: Improper Restriction of Excessive Authentication Attempts | 2 | CWE-323: Reusing a Nonce, Key Pair in Encryption | 1 |
| CWE-327: Use of a Broken or Risky Cryptographic Algorithm | 2 | CWE-331: Insufficient Entropy | 1 |
| CWE-400: Uncontrolled Resource Consumption | 2 | CWE-347: Improper Verification of Cryptographic Signature | 1 |
| CWE-636: Not Failing Securely ('Failing Open') | 2 | CWE-476: NULL Pointer Dereference | 1 |
| CWE-693: Protection Mechanism Failure | 2 | CWE-787: Out-of-bounds Write | 1 |
| CWE-696: Incorrect Behavior Order | 2 |
Table 3. Top CWE entries observed in in-vehicle systems in Q2 2026 compared to Q1 2026
Q2 2026 research and real-world incidents
Several Q2 disclosures and research findings show how cybersecurity weaknesses can appear across enterprise systems, charging infrastructure, connected services, and in-vehicle platforms.
Enterprise and connected service exposure: A security researcher found API vulnerabilities in the cloud services behind a connected vehicle app, allowing one account holder to view vehicle data and pending requests belonging to other owners. The exposure has since been fixed, while other API issues were still being remediated.
Charging infrastructure vulnerabilities: Various security researchers disclosed vulnerabilities affecting several EV charging products, with proof-of-concept code publicly released for some flaws. The reported issues included authentication bypass and command injection, privilege escalation, and conditions that could enable arbitrary code execution.
Platform-level software exposure: Copy Fail (CVE-2026-31431) is a Linux kernel logic bug that allows an unprivileged local user to gain root access. While not vehicle-specific, the flaw may be relevant to automotive Linux deployments, where shared platform weaknesses can affect systems beyond a single vehicle component.
UDS Security Access weaknesses: At Black Hat Asia 2026, researchers unveiled AlgoBuster, a novel attack framework targeting UDS Service 0x27. By brute-forcing the algorithm itself rather than the full key space, AlgoBuster successfully broke 2 out of 12 tested ECUs.
Vehicle software supply chain exposure: Vulnerabilities CVE-2026-33524 and CVE-2026-33666 were identified in Zserio, the serialization framework behind the Navigation Data Standard (NDS). The findings illustrate how weaknesses in map delivery, supply chain pipelines, and backend processing could affect navigation and ADAS-related data integrity.
AI-related incidents and tooling risks
AI-related risk in Q2 2026 appeared in vehicle engineering workflows and in attacker adaptation to AI-assisted security processes. One notable example showed how AI tooling could lower the technical barrier for vehicle modification. An AI agent published on GitHub enabled automated ECU parameter modification and read/write assistance, making ECU tuning and aftermarket modifications more accessible to less specialized users. If emissions-related parameters are altered through such tooling, affected vehicles could fall out of conformance with Euro 7 and similar regulations.
Threat actors also continued adapting to AI-assisted security workflows. A newer Shai-Hulud variant reportedly incorporated AI tool configuration and prompt-manipulation techniques to evade AI-assisted security analysis. After compromising software packages, attackers could use trusted automation workflows to spread infected releases, steal credentials, and propagate further.
These cases suggest that AI-related automotive cybersecurity risk is not limited to AI models inside vehicles. It also extends to the tools, packages, automation pipelines, and engineering workflows that support modern automotive software development.
Conclusion
The Q2 2026 data reinforces a central reality of the Overlap Era: automotive cybersecurity risk now spans enterprise systems, operational platforms, connected services, charging infrastructure, and in-vehicle software.
While the quarter’s findings should be read as a snapshot rather than a long-term trend, the distribution of incidents, ransomware activity, CWE findings, and AI-related signals points to three priorities for automotive OEMs and organizations.
Scale visibility across the wider automotive ecosystem. Security teams need visibility across the connected layers that support vehicle design, deployment, operations, maintenance, and updates.
Strengthen resilience across logistics and operational dependencies. Ransomware exposure reinforces the need to secure the platforms, services, and third-party integrations that keep fleets, cargo, and routes moving.
Secure software and automation pipelines by design. CWE and AI-related findings point to the need for stronger authentication, software integrity checks, secure CI/CD practices, third-party validation, and governance for AI-enabled engineering workflows.
The organizations best prepared for the Overlap Era will be those that can see risk before it crosses boundaries. VicOne helps automotive organizations build this visibility through next-gen vehicle security operations centers (VSOCs) and AI-driven threat intelligence platforms, supporting faster detection, more informed response, and stronger resilience across the automotive value chain.
Stay ahead of emerging automotive threats. Subscribe to xAurient Threat Alerts for timely intelligence on the risks shaping the connected mobility ecosystem.