Pwn2Own Automotive 2025, the world’s largest zero-day vulnerability discovery contest, delivered a performance worthy of a racecar champion crossing the checkered flag. With 49 unique zero-day vulnerabilities successfully identified across 50 attempts, the three-day event, which challenged security researchers to uncover vulnerabilities in technologies for software-defined vehicles (SDVs), indeed roared to a triumphant finish. (Coincidentally, the first edition of Pwn2Own Automotive, held last year, also resulted in 49 zero-day vulnerabilities discovered.)
Noteworthy attempts
Day three started with Sina Kheirkhah’s quick work on the ChargePoint electric vehicle (EV) charger. He was followed shortly by Bongeun Koo from STEALIEN Inc., who waged a three-bug exploit against the Ubiquiti Connect EV Station charger. The latter pulled off another déjà vu moment for this effort, not with an already discovered yet unpatched vulnerability, but by once again displaying the iconic Nyan Cat on the device.
Figure 1. Bongeun Koo of STEALIEN used a three-bug chain to exploit the Ubiquiti Connect EV Station charger, getting extra style points for displaying the iconic Nyan Cat on the device.
Tobias Scharnowski, Felix Buchmann, and Kristian Covic of fuzzware.io unleased a two-bug chain, featuring an uninitialized variable, to exploit the WolfBox EV charger, a new target in the EV charger category this year.
Figure 2. The fuzzware.io team used a two-bug chain against the WolfBox EV charger.
Another noteworthy attempt came from Synacktiv. The French team used a single buffer overflow to exploit the Autel MaxiCharger. The team also demonstrated signals being transmitted via its charging connector as an add-on.
Figure 3. Synacktiv exploited the Autel MaxiCharger with an add-on, mirroring the team’s successful attempts on the ChargePoint and Tesla Wall Connector chargers.
It is worth noting that Synacktiv’s EV charger exploits this year — the ChargePoint Home Flex on day one and the Tesla Wall Connector on day two – had add-ons that added an extra layer of sophistication. These underscored a critical point: The exploit chains could potentially extend beyond the charging devices. Cybercriminals could use them as stepping stones to compromise vehicles and connected systems.
| Attempt | Category | Result |
|---|---|---|
| STEALIEN targeting the Ubiquiti Connect EV Station with the Charging Connector Protocol/Signal Manipulation add-on | Electric Vehicle Chargers | Success/Collision |
| Sina Kheirkhah targeting the ChargePoint Home Flex | Electric Vehicle Chargers | Success |
| Synacktiv targeting the Sony XAV-AX8500 | In-Vehicle Infotainment | Success |
| PHP Hooligans targeting the Kenwood DMX958XR | In-Vehicle Infotainment | Success |
| Team Confused targeting the Alpine iLX-507 | In-Vehicle Infotainment | Success |
| fuzzware.io targeting the WOLFBOX Level 2 EV Charger | Electric Vehicle Chargers | Success/Collision |
| Technical Debt Collectors targeting the Tesla Wall Connector | Electric Vehicle Chargers | Collision |
| Synacktiv targeting the Autel MaxiCharger AC Wallbox Commercial with the Charging Connector Protocol/Signal Manipulation add-on | Electric Vehicle Chargers | Success |
| Evan Grant targeting the Kenwood DMX958XR | In-Vehicle Infotainment | Success |
| Sina Kheirkhah targeting the Alpine iLX-507 | In-Vehicle Infotainment | Success |
Table 1. The complete contest results of Pwn2Own Automotive 2025 day three
Note: An attempt is designated a “collision” if it involves a non-unique vulnerability (discovered by another researcher or previously known). An attempt marked as a “success/collision” involves a combination of unique and previously known vulnerabilities.
Capping the day was the successful attempt by Evan Grant. In his first appearance on the Pwn2Own Automotive stage, he leveraged an operating system (OS) command injection bug to exploit the Kenwood DMX958XR, a new target in the in-vehicle infotainment (IVI) systems category.
Figure 4. Evan Grant successfully exploited the Kenwood DMX958XR through an OS command injection vulnerability, completing the attack with five minutes to spare.
New Pwn2Own Automotive Master of Pwn
Sina Kheirkhah of Summoning Team, now renowned for “rickrolling” the Ubiquiti Connect EV Station two years in a row, was crowned the Pwn2Own Automotive 2025 Master of Pwn. He dominated the contest with 30.5 “Pwn points,” earned through a remarkable streak of successful exploits that revealed 14 unique zero-day vulnerabilities.
Figure 5. Sina Kheirkhah of Summoning Team, crowned the Pwn2Own Automotive 2025 Master of Pwn, proudly shows off his trophy and unique jacket inspired by the NASCAR legend Richard “The King” Petty.
Figure 6. The top 10 teams of Pwn2Own Automotive 2025. Like other Pwn2Own contests, Pwn2Own Automotive awards Pwn points for successful exploit attempts.
And that’s a wrap for Pwn2Own Automotive 2025! VicOne is proud to have hosted the second edition of Pwn2Own Automotive with Trend Micro’s Zero Day Initiative (ZDI). This event not only showcased the expertise of top-tier security researchers but also provided a platform for them to collaborate with industry leaders — advancing automotive cybersecurity as the automotive industry accelerates toward the SDV era.
Follow VicOne (LinkedIn, X, blog) for more Pwn2Own Automotive updates. To read more research on vulnerabilities in connected vehicles and learn best security practices, visit our resource center.
With contributions from Dustin Childs of the ZDI
