Pwn2Own Automotive 2025 shifted into high gear on its opening day at Automotive World 2025, held at Tokyo Big Sight in Tokyo, Japan. The sprawling conference hall was abuzz with anticipation as top cybersecurity researchers from across the globe prepared to make their mark at the world’s largest zero-day vulnerability discovery contest, hosted by VicOne with Trend Micro’s Zero Day Initiative (ZDI).
Setting the tone for the three-day event, Max Cheng, CEO of VicOne, and Brian Gorenc, Vice President of Threat Research at Trend Micro, marked the occasion by pulling a kusudama ball, a traditional Japanese symbol of significant milestones.
Figure 1. Brian Gorenc (left), Vice President of Threat Research at Trend Micro, and Max Cheng, CEO of VicOne, during the opening ceremonies of Pwn2Own Automotive 2025
With 16 unique automotive zero-day vulnerabilities discovered on day one alone, this event is shaping up to be yet another one for the books.
Something new and something familiar
On day one, 18 attempts were scheduled via a random draw conducted the previous day. The lineup included three “Pwn2Own After Dark” attempts, which would take place after the Automotive World venue had closed for the day.
The researchers from the Synacktiv team, which was Pwn2Own Automotive’s inaugural Master of Pwn, made the first successful attempt when they used a stack-based buffer overflow bug in the ChargePoint Home Flex (Model CPH50). They had an “add-on,” something new for the electric vehicle (EV) chargers category. Through a known bug in the Open Charge Point Protocol (OCPP), they additionally demonstrated signal manipulation over the charger’s connector.
Sina Kheirkhah from Summoning Team also returned this year. He exploited a hard-coded cryptographic key bug in the Ubiquiti Connect EV Station charger and then displayed a dancing Rick Astley on its screen. Having “rickrolled” the Ubiquiti charger last year, it seems this researcher is never going to give this charger up — or let us down — when it comes to delivering exploits with a touch of humor.
Figure 2. Using a hard-coded cryptography key, Sina Kheirkhah “rickrolled” the Ubiquiti Connect EV Station charger once again.
Aside from the familiar names, there were also new teams joining Pwn2Own Automotive this year, including GMO Cybersecurity by Ierae, Inc. The team executed a single stack-based buffer overflow exploit on the Kenwood DMX958XR in-vehicle infotainment (IVI) system in mere seconds. This impressive performance should come as no surprise, given the team’s strong debut at Automotive CTF in Detroit last year.
| Attempt | Category | Result |
|---|---|---|
| Synacktiv targeting the ChargePoint Home Flex with the Charging Connector Protocol/Signal Manipulation add-on | Electric Vehicle Chargers | Success/Collision |
| Viettel Cyber Security targeting the Kenwood DMX958XR | In-Vehicle Infotainment | Success |
| PCAutomotive targeting the Alpine iLX-507 | In-Vehicle Infotainment | Success |
| Sina Kheirkhah targeting the Phoenix Contact CHARX SEC-3150 | Electric Vehicle Chargers | Success/Collision |
| ANHTUD targeting the Sony XAV-AX8500 | In-Vehicle Infotainment | Success |
| PHP Hooligans targeting the Autel MaxiCharger AC Wallbox Commercial | Electric Vehicle Chargers | Success |
| GMO Cybersecurity by Ierae, Inc. targeting the Kenwood DMX958XR | In-Vehicle Infotainment | Success |
| Viettel Cyber Security targeting the Alpine iLX-507 | In-Vehicle Infotainment | Success |
| Sina Kheirkhah targeting the Ubiquiti Connect EV Station | Electric Vehicle Chargers | Success |
| Team Confused targeting the Sony XAV-AX8500 | In-Vehicle Infotainment | Success |
| fuzzware.io targeting the Autel MaxiCharger AC Wallbox Commercial | Electric Vehicle Chargers | Success |
| Synacktiv targeting the Kenwood DMX958XR | In-Vehicle Infotainment | Success |
| SK Shieldus targeting the Alpine iLX-507 | In-Vehicle Infotainment | Collision |
| Technical Debt Collectors targeting the Automotive Grade Linux | Operating System | Success/Collision |
| Sina Kheirkhah targeting the Sony XAV-AX8500 | In-Vehicle Infotainment | Failure |
| fuzzware.io targeting the Phoenix Contact CHARX SEC-3150 | Electric Vehicle Chargers | Success |
| Quarkslab targeting the Autel MaxiCharger AC Wallbox Commercial | Electric Vehicle Chargers | Failure |
| STEALIEN Inc. targeting the Alpine iLX-507 | In-Vehicle Infotainment | Collision |
Table 1. The complete contest results of Pwn2Own Automotive 2025 day one
Note: An attempt is designated a “collision” if it involves a non-unique vulnerability (discovered by another researcher or previously known). An attempt marked as a “success/collision” involves a combination of unique and previously known vulnerabilities.
The final exploit of the day offered a mix of the new and the familiar — a sense of déjà vu, if you will. Bongeun Koo of STEALIEN Inc. leveraged a vulnerability in the Alpine iLX-507 IVI system, but the bug had already been discovered last year. Under ISO/SAE 21434, the vendor classified the vulnerability as “sharing the risk,” indicating a decision to accept the residual risk, and chose to not release a patch. The STEALIEN researcher, however, earned priceless style points by displaying the iconic Nyan Cat on the device.
Figure 3. Although it leveraged a previously discovered bug, STEALIEN’s exploit still punctuated day one with a flair for creativity, earning plenty of style points by displaying the iconic Nyan Cat on the Alpine IVI system.
Image from the ZDI
Automotive security and vulnerability demos
As the contest gained momentum, researchers from VicOne and the ZDI engaged the audience with a series of demonstrations.
In a virtual demo, Jay Turla, Principal Security Researcher at VicOne, showed a plug-and-play test bench featuring an instrument cluster and IVI system. He used the setup to demonstrate CAN bus injection, replay, and spoofing tactics.
Shin Li, Staff Threat Researcher at VicOne, demonstrated how ultra-wideband (UWB) technology could be used by attackers to interfere with targets in order to cause confusion in location tracking or disrupt communication with authorized devices.
Rounding up the trio of demos on day one was Jonathan Andersson, Senior Manager – Security Researcher at the ZDI. He showcased the NCC Group’s popular Doom entry from last year, highlighting the range of possibilities — including far more serious threats — once a device’s root access is obtained.
Figure 4. Jonathan Andersson from the ZDI demonstrated the popular Doom exploit from the NCC Group last year.
These demos underscore the indispensable role of zero-day vulnerability discovery, especially as the industry races into the era of software-defined vehicles (SDVs). Events like Pwn2Own Automotive enable top-tier security researchers to uncover unknown, unpublished, and unreported vulnerabilities, providing the automotive industry with early risk identification and mitigation amid an increasingly complex automotive cybersecurity landscape.
Watch the video below for a quick overview of the highlights of the kickoff of Pwn2Own Automotive 2025.
Stay tuned for updates from day two of Pwn2Own Automotive 2025 by following VicOne (LinkedIn, X, blog) and the ZDI (LinkedIn, X, blog).
With contributions from Dustin Childs of the ZDI
