The Automotive Cybersecurity Event at the Forefront of Zero-Day Vulnerability Discovery
In the era of software-defined vehicles (SDVs), cyberthreats have expanded beyond vehicles to the interconnected systems that enable them, creating overlapping attack surfaces across the entire mobility ecosystem. The industry must therefore strengthen its cybersecurity posture to stay ahead of increasingly complex attacks.
To meet this challenge, VicOne is once again driving Pwn2Own Automotive, the world's largest zero-day vulnerability discovery contest focused on connected vehicles and the technologies that power them.
Join us on this platform where security researchers and automotive stakeholders come together!
Pwn2Own Automotive Cybersecurity Challenge 2026
Securing the Connected Mobility Ecosystem Through Zero-Day Vulnerability Discovery
Accelerating Automotive Zero-Day Vulnerability Discovery
VicOne amplifies awareness of the expanding connected vehicle attack surface, underscoring the urgency of fortifying the industry against emerging and evolving threats.
Spotlighting the Connected Vehicle and Its Interconnected Systems
VicOne emphasizes the need to safeguard not only the vehicle's complex components, but also its connected technologies, paving the way for a more robust and resilient cybersecurity protection.
Forging Industry-Wide Collaborations
VicOne builds strategic partnerships between security researchers and automotive stakeholders to ensure that every vulnerability discovery leads to concrete action that strengthens the connected mobility ecosystem.
Drawing on VicOne's unparalleled threat intelligence, and on Trend Micro's proven Trend Zero Day Initiative (ZDI), Pwn2Own Automotive 2026 offers participants more than US$1 million in cash and prizes, with Tesla and Alpitronic as title sponsors.
VicOne Secures the Future of Mobility
by Helping Automotive Manufacturers and Suppliers Identify and Rectify Vulnerabilities
Pwn2Own Automotive Categories
By discovering zero-day vulnerabilities, this event enables security researchers to uncover unknown, unpublished, and unreported vulnerabilities, facilitating early risk identification and mitigation within the automotive industry.
Hosting this contest in collaboration with VicOne, who has unmatched expertise and experience in automotive cybersecurity, is a key step in demonstrating our security research expertise within the automotive industry and the research community.
We believe that it is of great significance that Pwn2Own Automotive, which will lead to increased security for connected cars and SDVs, will be held at Automotive World, where technologies that will create the future of cars and mobility will gather.
Get Updates on Pwn2Own Automotive
Pwn2Own Automotive 2026 Day 3: New Master of Pwn Announced and Other Highlights
Pwn2Own Automotive 2026 set a new record with 76 unique zero-day vulnerabilities discovered, exposing the rapidly expanding attack surface across SDVs, IVI systems, and EV charging infrastructure. The final day crowned Fuzzware.io as Master of Pwn 2026, with 28 Master of Pwn points.
Read More →Pwn2Own Automotive 2026: Uncovering 37 Unique Zero-Days
Pwn2Own Automotive 2026 Day 1 opened with record-breaking momentum, with researchers successfully compromising infotainment systems, EV chargers, and Tesla interfaces—highlighting how expansive today’s automotive attack surface has become. The surge in entries and chained exploits confirms a clear shift: in the SDV era, automotive cyber risk is no longer isolated to the vehicle, but systemic across the entire ecosystem.
Read More →Pwn2Own Automotive 2026 Day 2: EV Chargers Hit Full Throttle
Day 2 delivered 29 new zero-days, pushing the total to a record 66. Researchers repeatedly compromised Level 2/3 EV chargers and IVI systems using practical flaws like exposed interfaces and command injection. The takeaway: automotive and charging infrastructure attacks are now repeatable at scale—shifting cyber risk from theoretical to immediate operational impact.
Read More →Pwn2Own Automotive 2026 Gears Up: Rules, Targets, and What’s New
Pwn2Own Automotive returns to Tokyo in January 2026 for its third edition. Discover the rules, targets, and what’s new in the world’s largest automotive-focused ethical hacking contest.
Read More →Gain Insights Into Automotive Vulnerabilities from VicOne
Pwn2Own Automotive 2026 Day 3: New Master of Pwn Announced and Other Highlights
Pwn2Own Automotive 2026 set a new record with 76 unique zero-day vulnerabilities discovered, exposing the rapidly expanding attack surface across SDVs, IVI systems, and EV charging infrastructure. The final day crowned Fuzzware.io as Master of Pwn 2026, with 28 Master of Pwn points.
Read More →Pwn2Own Automotive 2026: Turning Zero-Day Discovery into Automotive Foresight
Pwn2Own Automotive 2026 exposes critical zero-day vulnerabilities in software-defined vehicles before they escalate into real-world business and operational risk. By ensuring zero-day vulnerabilities move from exposure to resolution, the event transforms discovery into Automotive Foresight—helping organizations stay ahead of risk before it reaches the road.
Read More →Understanding the Vulnerabilities in EV Charging Communication: Security Insights and Broader Implications
We examine the electric vehicle (EV) charging communication vulnerabilities revealed at the recent DEF CON 33, highlighting their mitigations and broader industry impacts.
Read More →From Pwn2Own Automotive: How Zero-Day Vulnerabilities Expose Gaps in EVSE Cybersecurity Standards
We examine the vulnerabilities discovered in an EV charger during Pwn2Own Automotive to reveal where EVSE cybersecurity standards fall short and why stronger, unified measures are critical for securing the charging infrastructure.
Read More →From Pwn2Own Automotive: 2 RCE Vulnerabilities in the Phoenix Contact CHARX SEC-3100 EV Charging Controller
We discuss the two vulnerabilities discovered in the Phoenix Contact CHARX SEC-3100 EV charging controller at Pwn2Own Automotive 2024, highlighting their impact and possible mitigations.
Read More →From Pwn2Own Automotive: More Stack-Based Buffer Overflow Vulnerabilities in Autel MaxiCharger
We examine two more Autel MaxiCharger vulnerabilities discovered at Pwn2Own Automotive 2024: CVE-2024-23967 and CVE-2024-23957. Both are classified as a stack-based buffer overflow, a classic yet avoidable programming error that could lead to remote code execution.
Read More →From Pwn2Own Automotive: A Stack-Based Buffer Overflow Vulnerability in JuiceBox 40 Smart EV Charging Station
We examine CVE-2024-23938, a JuiceBox 40 smart EV charging station vulnerability discovered at Pwn2Own Automotive, and discuss its broader implications for the automotive industry.
Read More →Relive Highlights From Pwn2Own Automotive 2025
FAQs
What is Pwn2Own Automotive?
Pwn2Own Automotive is a one-of-its-kind event dedicated to uncovering and rectifying vulnerabilities in technologies for connected cars and software-defined vehicles (SDVs). It is co-hosted by VicOne and Trend ZDI, with Tesla and Alpitronic as the title sponsors. As its name suggests, Pwn2Own Automotive is an automotive-focused offshoot of Pwn2Own. Effectively turning potential future threats into a cybersecurity challenge, Pwn2Own is a contest that invites participants to discover zero-day vulnerabilities. To explore the nearly two-decade history and evolution of Pwn2Own, click here.
When and where will Pwn2Own Automotive 2026 be held?
Date: January 21 – 23, 2026
Location: Automotive World, Tokyo Big Sight, Japan
How do I register?
Pwn2Own Automotive: Contestant registration for Pwn2Own Automotive 2026 is open until January 15, 2026. Interested participants can submit a white paper detailing their exploit chain and run instructions to pwn2own@trendmicro.com. For more information, read the complete set of Pwn2Own Automotive rules here.
Automotive World: Visitor registration for Automotive World, where Pwn2Own Automotive will be held, is available here.
What are the travel requirements?
Visa requirements: Visa requirements for entering Japan vary by nationality. Consult the Japanese government's guide for detailed information. For specific queries, contact your nearest Japanese diplomatic mission. Note that the event organizers do not provide visa application support.
Hotel reservations: For accommodation, contestants and visitors alike are advised to book independently. The Odaiba/Ariake areas are popular for their proximity to the event venue.
Venue access: Detailed transport and access information for the event venue can be found here.
Additional travel guidance is available on Automotive World's FAQ page and in the official Tokyo travel guide.
What are the Pwn2Own Automotive 2026 contest categories and prizes?
Categories: Pwn2Own Automotive 2026 has six categories: Tesla, In-Vehicle Infotainment (IVI), Level 3 Electric Vehicle (EV) Chargers, Level 2 Electric Vehicle (EV) Chargers, Open Charge Alliance, and Automotive Operating Systems. Each category has a set of targets that can be selected by the contestant during the registration process. All entries must perform a security challenge on the device and demonstrate arbitrary code execution on the device.
Cash and prizes: More than US$1 million in cash and prizes will be awarded for vulnerabilities and exploitation techniques against the targets in the categories. The first contestant to successfully perform a security challenge on a target within the selected category will win the prize amount allocated for that specific target. Pwn2Own Automotive 2026 will also crown a Master of Pwn, signifying the overall winner of the contest.
For more information, read the complete set of Pwn2Own Automotive 2026 rules here.
Why does Pwn2Own Automotive matter?
Pwn2Own Automotive is a contest where the world's top-level security researchers gather to discover vulnerabilities in the latest automotive technologies. Supporting Pwn2Own Automotive contributes to building a comprehensive risk management system in the SDV era.
- Preparing for the SDV era
As software increasingly controls vehicle functions, concerns about vulnerabilities and risks grow. Pwn2Own Automotive strengthens security through zero-day vulnerability discovery and incident prevention, laying the foundation for future vehicle security. - Improving product safety and reducing risk
By testing the latest automotive technologies in real-world environments, Pwn2Own Automotive uncovers zero-day vulnerabilities early — before they reach underground markets. This proactive approach prevents cyberattacks, enhances product security, and minimizes risks. - Raising industrywide security awareness and building a cooperative framework
By promoting cybersecurity awareness across the automotive industry and fostering collaboration, Pwn2Own Automotive aims to elevate cybersecurity standards and realize a safer automotive ecosystem. - Advancing security research and developing talent
By recognizing and rewarding researchers for finding vulnerabilities, Pwn2Own Automotive cultivates skilled cybersecurity professionals. This hands-on experience in a real-world setting bolsters the industry's overall security capabilities.
Join us in Tokyo in January 2026 for this unique event that propels the automotive industry toward robust and resilient cybersecurity.
Pwn2Own Automotive Contest Schedule
Day 1 | January 21, 2026
| Time | Team | Target | Category |
|---|---|---|---|
| 11:00 a.m. | Hacking Group | Kenwood DNR1007XR | In-Vehicle Infotainment (IVI) Systems |
| Fuzzware.io | Autel MaxiCharger AC Elite Home 40A EV Charger with add-on | Level 2 Electric (EV) Chargers | |
| Neodyme | Alpine iLX-F511 | In-Vehicle Infotainment (IVI) Systems | |
| Team DDOS | ChargePoint Home Flex (Model CPH50-K) with add-on | Level 2 Electric (EV) Chargers | |
| 299 | Grizzl-E Smart 40A | Level 2 Electric (EV) Chargers | |
| 12:00 p.m. | Petworks | Phoenix Contact CHARX SEC-3150 with add-on | Level 2 Electric (EV) Chargers |
| 12:30 p.m. | Fuzzware.io | Kenwood DNR1007XR | In-Vehicle Infotainment (IVI) Systems |
| Synacktiv | Sony XAV-9500ES | In-Vehicle Infotainment (IVI) Systems | |
| Compass Security | Alpine iLX-F511 | In-Vehicle Infotainment (IVI) Systems | |
| 2:00 p.m. | Yannik Luca Marchand | Kenwood DNR1007XR | In-Vehicle Infotainment (IVI) Systems |
| CIS | Alpine iLX-F511 | In-Vehicle Infotainment (IVI) Systems | |
| Synacktiv | Infotainment USB-based Attack | Tesla | |
| Fuzzware.io | EMPORIA Pro Charger Level 2 with add-on | Level 2 Electric (EV) Chargers | |
| Compass Security | Grizzl-E Smart 40A with add-on | Level 2 Electric (EV) Chargers | |
| 3:00 p.m. | Team DDOS | Autel MaxiCharger AC Elite Home 40A EV Charger with add-on | Level 2 Electric (EV) Chargers |
| 3:30 p.m. | GMO Cybersecurity by Ierae, Inc. | Kenwood DNR1007XR | In-Vehicle Infotainment (IVI) Systems |
| Mia Miku Deutsch | Alpine iLX-F511 | In-Vehicle Infotainment (IVI) Systems | |
| Fuzzware.io | Alpitronic HYC50 - Field Mode | Level 3 Electric (EV) Chargers | |
| CyCraft Technology | Grizzl-E Smart 40A | Level 2 Electric (EV) Chargers | |
| 4:00 p.m. | Zeroshi | Phoenix Contact CHARX SEC-3150 with add-on | Level 2 Electric (EV) Chargers |
| 5:00 p.m. | Interrupt Labs | Kenwood DNR1007XR | In-Vehicle Infotainment (IVI) Systems |
| 78 ResearchLab | Alpine iLX-F511 | In-Vehicle Infotainment (IVI) Systems | |
| Team DDOS | Grizzl-E Smart 40A with add-on | Level 2 Electric (EV) Chargers | |
| 5:30 p.m. | Fuzzware.io | Sony XAV-9500ES | In-Vehicle Infotainment (IVI) Systems |
| Viettel Cyber Security | ChargePoint Home Flex (Model CPH50-K) | Level 2 Electric (EV) Chargers | |
| 6:30 p.m. | FPT NightWolf | Kenwood DNR1007XR | In-Vehicle Infotainment (IVI) Systems |
| Team K | Alpine iLX-F511 | In-Vehicle Infotainment (IVI) Systems | |
| 78 ResearchLab | Phoenix Contact CHARX SEC-3150 | Level 2 Electric (EV) Chargers | |
| Jonathan Conrad | Grizzl-E Smart 40A | Level 2 Electric (EV) Chargers | |
| 7:00 p.m. | ANHTUD | Sony XAV-9500ES | In-Vehicle Infotainment (IVI) Systems |
Day 2 | January 22, 2026
| Time | Team | Target | Category |
|---|---|---|---|
| 10:30 a.m. | Team DDOS | Kenwood DNR1007XR | In-Vehicle Infotainment (IVI) Systems |
| Team MAMMOTH | Alpine iLX-F511 | In-Vehicle Infotainment (IVI) Systems | |
| FuzzingLabs | Phoenix Contact CHARX SEC-3150 | Level 2 Electric (EV) Chargers | |
| InnoEdge Labs | Alpitronic HYC50 - Lab Mode | Level 3 Electric (EV) Chargers | |
| Autocrypt | Grizzl-E Smart 40A with add-on | Level 2 Electric (EV) Chargers | |
| 11:30 a.m. | Neodyme | Sony XAV-9500ES | In-Vehicle Infotainment (IVI) Systems |
| 12:00 p.m. | Summoning Team | Kenwood DNR1007XR | In-Vehicle Infotainment (IVI) Systems |
| Viettel Cyber Security | Alpine iLX-F511 | In-Vehicle Infotainment (IVI) Systems | |
| Joshua Foote | Grizzl-E Smart 40A with add-on | Level 2 Electric (EV) Chargers | |
| 12:30 p.m. | Fuzzware.io | Phoenix Contact CHARX SEC-3150 with add-on | Level 2 Electric (EV) Chargers |
| Xilokar | Alpitronic HYC50 - Lab Mode | Level 3 Electric (EV) Chargers | |
| 1:00 p.m. | PHP Hooligans / Midnight Blue | Autel MaxiCharger AC Elite Home 40A EV Charger with add-on | Level 2 Electric (EV) Chargers |
| 1:30 p.m. | 78ResearchLab | Kenwood DNR1007XR | In-Vehicle Infotainment (IVI) Systems |
| GMO Cybersecurity by Ierae, Inc | Alpine iLX-F511 | In-Vehicle Infotainment (IVI) Systems | |
| BoB::Takedown | Grizzl-E Smart 40A | Level 2 Electric (EV) Chargers | |
| 2:30 p.m. | Autocrypt | Autel MaxiCharger AC Wallbox Commercial with add-on | Level 2 Electric (EV) Chargers |
| Technical Debt Collectors | Automotive Grade Linux | Automotive Operating Systems | |
| Fuzzware.io | ChargePoint Home Flex (Model CPH50-K) with add-on | Level 2 Electric (EV) Chargers | |
| 3:00 p.m. | Joshua Foote | Kenwood DNR1007XR | In-Vehicle Infotainment (IVI) Systems |
| Qrious Secure | Alpine iLX-F511 | In-Vehicle Infotainment (IVI) Systems | |
| 4:00 p.m. | Synacktiv | Autel MaxiCharger AC Elite Home 40A EV Charger with add-on | Level 2 Electric (EV) Chargers |
| Team DDOS | Phoenix Contact CHARX SEC-3150 with add-on | Level 2 Electric (EV) Chargers | |
| 4:30 p.m. | Petoworks | Alpine iLX-F511 | In-Vehicle Infotainment (IVI) Systems |
| SummoningTeam | ChargePoint Home Flex (Model CPH50-K) with add-on | Level 2 Electric (EV) Chargers | |
| 5:00 p.m. | Fuzzware.io | Grizzl-E Smart 40A with add-on | Level 2 Electric (EV) Chargers |
| 6:00 p.m. | Petoworks | Kenwood DNR1007XR | In-Vehicle Infotainment (IVI) Systems |
| BoB::Takedown | Phoenix Contact CHARX SEC-3150 | Level 2 Electric (EV) Chargers | |
| 6:30 p.m. | SummoningTeam | Alpine iLX-F511 | In-Vehicle Infotainment (IVI) Systems |
| ZIEN | ChargePoint Home Flex (Model CPH50-K) | Level 2 Electric (EV) Chargers | |
| Evan Grant | Grizzl-E Smart 40A with add-on | Level 2 Electric (EV) Chargers |
Day 3 | January 23, 2026
| Time | Team | Target | Category |
|---|---|---|---|
| 10:30 a.m. | Team MST | Kenwood DNR1007XR | In-Vehicle Infotainment (IVI) Systems |
| Viettel Cyber Security | Sony XAV-9500ES | In-Vehicle Infotainment (IVI) Systems | |
| Fuzzware.io | Alpine iLX-F511 | In-Vehicle Infotainment (IVI) Systems | |
| Qrious Secure | Grizzl-E Smart 40A | Level 2 Electric (EV) Chargers | |
| 12:00 p.m. | Qrious Secure | Kenwood DNR1007XR | In-Vehicle Infotainment (IVI) Systems |
| Team DDOS | Alpine iLX-F511 | In-Vehicle Infotainment (IVI) Systems | |
| Petoworks | Grizzl-E Smart 40A with add-on | Level 2 Electric (EV) Chargers | |
| 1:00 p.m. | Juurin | Alpitronic HYC50 - Lab Mode | Level 3 Electric (EV) Chargers |
| 1:30 p.m. | Viettel Cyber Security | Kenwood DNR1007XR | In-Vehicle Infotainment (IVI) Systems |
| Autocrypt | Alpine iLX-F511 | In-Vehicle Infotainment (IVI) Systems | |
| 3:00 p.m. | Juurin | Kenwood DNR1007XR | In-Vehicle Infotainment (IVI) Systems |
| Pwn4S0n1c | Autel MaxiCharger AC Elite Home 40A EV Charger | Level 2 Electric (EV) Chargers | |
| FPT NightWolf | Alpine iLX-F511 | In-Vehicle Infotainment (IVI) Systems |