Launched in 2024 in Tokyo, Japan, the Pwn2Own Automotive competition marked a pivotal moment for automotive cybersecurity. Co-hosted by Trend AI Zero Day Initiative (ZDI) and VicOne, the world’s largest automotive zero-day vulnerability discovery competition brought top security researchers together to uncover previously unknown vulnerabilities in connected vehicles and the technologies that power them.
Zero-days point to an expanding automotive attack surface
While Pwn2Own Automotive is structured as a competitive event, its significance extends beyond prize categories and sophisticated exploit demonstrations. Each edition has provided insights into the automotive industry’s expanding attack surface.
The results over three years illustrate this progression. Both the 2024 and 2025 competitions uncovered 49 unique automotive zero-day vulnerabilities. In 2026, that number increased to 76 unique zero-days, surpassing the totals of the previous two years by the second day of the event.
The increase reflects the rising architectural complexity as connected vehicles integrate more connectivity, software-defined components, and external dependencies.
Analysis of Pwn2Own Automotive findings
While detailed disclosures from Pwn2Own Automotive 2026 are forthcoming, patterns from the 2024 and 2025 competitions already reveal several security insights.
At Pwn2Own Automotive 2025, the leading vulnerability class was OS Command Injection (CWE-78). In several successful exploits, injected commands executed with root privileges, allowing full device control. Stack-based Buffer Overflow (CWE-121) and Heap-based Buffer Overflow (CWE-122) followed closely.
In principle, these weaknesses should be increasingly rare in modern vehicle platforms. Secure development practices, such as rigorous code reviews, automated testing, fuzzing, and static analysis, are sufficiently mature to prevent these types of vulnerabilities. Their continued prevalence suggests the automotive industry still has a long way to go before achieving a consistently robust level of security.
This observation aligns with a key finding in VicOne’s 2026 Automotive Cybersecurity Report, “Crossroads: Automotive Cybersecurity in the Overlap Era”. Analysis of 2025 vulnerability data shows that persistent low-level memory and injection weaknesses remain widespread.
| Top Pwn2Own Automotive 2024 CWEs | Count | Top Pwn2Own Automotive 2025 CWEs | Count |
|---|---|---|---|
| CWE-121: Stack-based Buffer Overflow | 17 | CWE-78: OS Command Injection | 9 |
| CWE-78: OS Command Injection | 4 | CWE-121: Stack-based Buffer Overflow | 8 |
| CWE-295: Improper Certificate Validation | 4 | CWE-122: Heap-based Buffer Overflow | 4 |
| CWE-798: Use of Hard-coded Credentials | 2 | CWE-1328: Security Version Number Mutable to Older Versions | 3 |
| CWE-416: Use After Free | 2 | CWE-284: Improper Access Control | 3 |
| CWE-284: Improper Access Control | 2 |
Table 1. Top CWEs discovered in Pwn2Own Automotive 2024 vs 2025
A comparison between the two years highlights several shifts:
- OS command injection rose sharply from only 4 instances in 2024 to 9 in 2025.
- Stack-based buffer overflows dominated 2024 (17 cases), while 2025 showed a combined 12 stack and heap overflows.
- Firmware or OTA downgrade vulnerabilities first appeared in 2025, indicating a growing focus on the integrity of firmware updates and the lifecycle management chain.
Together, these patterns suggest that risk is evolving not only at the code level but also within update mechanisms and system lifecycle management.
When vulnerability disclosure outpaces governance
Since 2024, Pwn2Own Automotive has uncovered a total of 174 zero-day vulnerabilities. While these vulnerabilities are responsibly disclosed and addressed through coordinated processes, not all risks become visible to organizations at the same time.
According to VicOne’s 2026 Automotive Cybersecurity Report, approximately 89% of automotive vulnerabilities are visible through the CVE system. The remaining 11% fall outside the CVE ecosystem, including zero-day discoveries, independent research findings, and vulnerabilities identified through internal testing.
When governance workflows rely primarily on CVE publication as the trigger for escalation and reporting, exposure that has not yet been cataloged may not immediately enter executive dashboards or risk management processes.
Pwn2Own Automotive demonstrates that technically exploitable weaknesses can exist before formal classification. In production environments, where responsibilities span multiple stakeholders, the implications can extend beyond a single component or vendor.
Figure 1. Cyber incidents in 2025 increasingly span multiple system domains, underscoring the growing disconnect between integrated automotive architectures and fragmented risk governance.
This dynamic closely reflects a core theme from VicOne’s 2026 Automotive Cybersecurity Report: as modern automotive ecosystems span vehicle platforms, charging infrastructure, cloud services, and embedded systems, governance models that depend on CVE-centric visibility become increasingly strained.
From controlled setups to real-world operational risks
The zero-day discoveries discovered at Pwn2Own Automotive reflect the operational reality of modern mobility platforms. While the competition is structured and controlled, production-level vehicle platforms now integrate software-defined components, wireless interfaces, backend services, and charging infrastructure across distributed supplier networks.
In such environments, vulnerabilities do not exist in isolation. They interact with architectural assumptions, trust boundaries, and lifecycle dependencies that can amplify impact across multiple functional domains.
Figure 2. Conceptual view of a modern vehicle’s major functional domains and their overlapping cyber risks
As the industry continues to evolve, the critical differentiator will not be whether vulnerabilities are discovered, but how effectively organizations integrate architectural resilience, cross-domain accountability, and governance maturity into their development and lifecycle processes.
For deeper analysis of the structural trends, vulnerability patterns, and governance challenges shaping the automotive industry, download VicOne’s 2026 Automotive Cybersecurity Report published February 2026: “Crossroads: Automotive Cybersecurity in the Overlap Era.”
