Pwn2Own Automotive 2026 has crossed the finish line with a record-breaking performance. As the world’s largest zero-day vulnerability discovery contest, the three-day event roared to a triumphant conclusion, with researchers successfully identifying 76 unique zero-day vulnerabilities across 73 attempts. It was a masterclass in speed and precision, challenging the world's best to secure the future of software-defined vehicles (SDVs) and electric vehicle (EV) infrastructure.
Attempt Highlights
The first successful attempt of the day was from Petoworks, breached the Grizzl-E Smart 40A by leveraging a single buffer overflow bug.
For IVIs, Team DDOS used a stack-based buffer overflow to hack the Alpine iLXF511. While Viettel Cyber Security targeted the Sony XAV9500ES and gained code execution privileges via a heap-based buffer overflow.
Juurin Oy, composed of Aapo Oksman, Elias Ikkelä-Koski and Mikael Kantola, is back at Pwn2Own for their attempt for Kenwood DNR1007XR and Alpitronic HYC50. They exploited a link-following vulnerability to breach the Kenwood device. Leveraging a Time-of-Check to Time-of-Use (TOCTOU) bug against the Level 3 charger, it capped its successful exploit, not only by a video, but by installing a playable copy of the classic game, Doom.
Figure 1. Juurin Oy Exploits TOCTOU Bug in Alpitronic HYC50 to run Doom
| Attempt | Category | Result |
|---|---|---|
| Team MST targeting Kenwood DNR1007XR | In-Vehicle Infotainment (IVI) Systems | Success / Collision |
| Viettel Cyber Security targeting Sony XAV-9500ES | In-Vehicle Infotainment (IVI) Systems | Success |
| Fuzzware.io targeting Alpine iLX-F511 | In-Vehicle Infotainment (IVI) Systems | Success / Collision |
| Qrious Secure targeting Grizzl-E Smart 40A | Level 2 Electric Vehicle (EV) Chargers | Success / Collision |
| Qrious Secure targeting Kenwood DNR1007XR | In-Vehicle Infotainment (IVI) Systems | Success |
| Team DDOS targeting Alpine iLX-F511 | In-Vehicle Infotainment (IVI) Systems | Success |
| Petoworks targeting Grizzl-E Smart 40A | Level 2 Electric Vehicle (EV) Chargers | Success |
| Juurin targeting Alpitronic HYC50 | Level 3 Electric Vehicle (EV) Chargers | Success |
| Viettel Cyber Security targeting Kenwood DNR1007XR | In-Vehicle Infotainment (IVI) Systems | Success / Collision |
| Autocrypt targeting Alpine iLX-F511 | In-Vehicle Infotainment (IVI) Systems | Success |
| Juurin targeting Kenwood DNR1007XR | In-Vehicle Infotainment (IVI) Systems | Success |
| Pwn4S0n1c targeting Autel MaxiCharger AC Elite Home 40A EV Charger | Level 2 Electric Vehicle (EV) Chargers | Success / Collision |
| FPT NightWolf targeting Alpine iLX-F511 | In-Vehicle Infotainment (IVI) Systems | Success |
Table 1. The complete contest results of Pwn2Own Automotive 2025 day three. Note: An attempt is designated a “collision” if it involves a non-unique vulnerability (discovered by another researcher or previously known). An attempt marked as a “success/collision” involves a combination of unique and previously known vulnerabilities.)
Pwn2Own Automotive 2026 Master of Pwn
After three days of intense competition at Automotive World in Tokyo, the German research team Fuzzware.io has secured the coveted title of Master of Pwn 2026.
Fuzzware.io's path to the crown was paved with high-profile takedowns of some of the most popular EV infrastructure in the world:
- Alpitronic HYC50 (Field Mode): A devastating "Out-of-Bounds Write" exploit that granted them full control over this commercial fast charger.
- Autel MaxiCharger: A complex 2-bug chain that combined code execution with their signature Signal Manipulation technique.
- Phoenix Contact CHARX: A "hat-trick" exploit involving three separate bugs and two add-ons, showcasing the team's ability to chain multiple vulnerabilities for maximum impact.
- Emporia & ChargePoint: Continued success against home chargers, using signal manipulation to prove that residential units are just as vulnerable as commercial stations.
Figure 2. 2026 Master of Pwn, Fuzzware.io, with Dustin Childs, Head of Threat Awareness of TrendAI ZDI, Max Cheng, CEO of VicOne, and Brian Gorenc, Vice President of Threat Research at TrendAI ZDI.
As the 2026 champions, Scharnowski, Buchmann, and Covic return home not just with the "Master of Pwn" trophy, but with the distinction of setting a new standard for automotive security research.
Figure 3. The top 5 teams of Pwn2Own Automotive 2026. Consistent with the broader Pwn2Own series, the Automotive edition grants 'Master of Pwn' points for every verified exploit.
Watch the video below for a quick overview of the highlights from the third and final day of Pwn2Own Automotive 2026.
That concludes Pwn2Own Automotive 2026! VicOne is honored to have co-hosted the third edition of this premier event alongside TrendAI Zero Day Initiative (ZDI). This competition did more than just showcase the ingenuity of the world’s top security researchers; it created a vital space for collaboration with industry leaders—strengthening the foundations of cybersecurity as the ecosystem accelerates toward the Software-Defined Vehicle (SDV) era and an increasingly connected Electric Vehicle Infrastructure.
Follow VicOne (LinkedIn, X, blog) for more Pwn2Own Automotive updates. To read more research on vulnerabilities in connected vehicles and learn best security practices, visit our resource center.
With contributions from Dustin Childs of the ZDI
