As vehicles evolve into software-defined platforms, cybersecurity has shifted from a technical safeguard to a pillar of operational resilience. Zero-day vulnerabilities are no longer isolated engineering issues—they represent latent business risk, capable of disrupting production timelines, regulatory compliance, and long-term brand trust.
From January 21–23, 2026, in Tokyo, Pwn2Own Automotive returns with a singular purpose: to expose the vulnerabilities that matter before they are exploited in the wild. In doing so, it offers the automotive industry something increasingly rare—early, credible visibility into emerging cyber risk.
Zero-Day Vulnerabilities: The Risk You Can’t Afford to Discover Late
Zero-day vulnerabilities are dangerous not because they exist—but because they are unknown. Once exploited outside controlled conditions, they leave organizations reacting under pressure: production delays, emergency patches, regulatory scrutiny, and reputational fallout.
Pwn2Own Automotive creates a safe but uncompromising environment where these risks are surfaced early. Elite researchers are invited to probe real automotive technologies: operating systems, infotainment and smart cockpit platforms, and EV charging infrastructure, using the same creativity and persistence seen in real-world attacks. The result is not theoretical risk modeling, but validated attack paths grounded in reality.
More Than Discovery: From Exposure to Remediation
What differentiates Pwn2Own Automotive is that discovery is only the starting point.
Co-hosted by VicOne and the Trend Micro Zero Day Initiative, the event operates under a framework of coordinated disclosure. Vulnerabilities remain confidential for a defined period, giving vendors and ecosystem partners the time and clarity to develop, test, and deploy fixes.
This follow-through matters. Across previous editions:
- 59.62% of zero-days identified in 2024 have already been remediated
- 59.62% of vulnerabilities from 2025 are patched
Figure 1. Most vulnerabilities discovered were promptly addressed by vendors, underscoring Pwn2Own Automotive’s role in accelerating responsible disclosure and reliable risk reduction.
Why This Matters
For organizations navigating SDV transformation, Pwn2Own Automotive provides something traditional testing cannot:
- Early visibility into systemic risk before it impacts revenue or delivery
- Evidence-backed prioritization for security investment and remediation
- Stronger alignment with global regulations
- Reduced likelihood of last-minute security surprises during production or certification
In short, it supports informed decision-making, not reactive crisis management.
Lessons from the Front Lines: What Previous Editions Revealed
Since its launch, Pwn2Own Automotive has uncovered 98 unique zero-day vulnerabilities, spanning in-vehicle systems and EV charging infrastructure. These were not edge cases—they revealed how minor flaws can combine into high-impact attack chains.
Notable examples include:
- A multi-bug exploit chain (CVE-2024-23928, CVE-2024-23929, and CVE-2024-23930) enabling remote code execution and persistent spyware on a Pioneer IVI system (2024)
- A zero-click Bluetooth vulnerability (CVE-2024-23923) in an Alpine Halo9 platform, exposing architectural weaknesses in proprietary protocols
- Multiple RCE vulnerabilities in EV charging controllers (CVE-2024-25994 and CVE-2024-25995), including the Phoenix Contact CHARX SEC-3100 (2025)
- Logic-level validation flaws (CVE-2025-8321) allowing control of Tesla Wall Connector chargers
Each case reinforced the same lesson: waiting for exploitation is no longer an option.
A Reality Check for Software-Defined Vehicle Security
Modern vehicles now depend on software for infotainment, connectivity, OTA updates, battery management, and increasingly safety-adjacent functions. This expanding attack surface makes continuous, adversarial validation essential—especially as SDVs scale globally.
Many of the vulnerabilities uncovered in early editions were detectable only through advanced security tooling combined with expert research, underscoring the limits of conventional testing and compliance-only approaches.
From Competition to Capability
Pwn2Own Automotive is often recognized for its technical brilliance, but its true value lies elsewhere. It transforms zero-day research into actionable intelligence, strengthens collaboration across the ecosystem, and enables organizations to anticipate risk rather than absorb it.
In an era where software defines vehicle capability, differentiation, and trust, Pwn2Own Automotive 2026 stands as a strategic checkpoint, helping the industry move forward with confidence, clarity, and resilience.
