第二屆Pwn2Own Automotive 的第二天賽程正如火如荼地進行著,今日一共揭露了 23 個獨特的零日漏洞,比第一天多出了 7 個。研究人員在多種車載資訊娛樂系統(IVI)和電動車(EV)充電器(包括特斯拉 Wall Connector)識別出漏洞。作為全球最大規模的零日漏洞發掘競賽,本活動由 VicOne 與趨勢科技的 Zero Day Initiative (ZDI) 合作舉辦,第二天競爭勢頭絲毫未見減弱。
Attempts on Tesla Wall Connector EV chargers
The PHP Hooligans fired the first shots in exploiting the Tesla Wall Connector. They used a numeric range comparison without minimum check (CWE-839), a coding flaw that allowed improperly validated values to bypass security measures, ultimately enabling them to take control of the device.
Figure 1. The PHP Hooligans team successfully performed a challenge on the Tesla Wall Connector using a numeric range comparison without minimum check (CWE-839) vulnerability.
PCAutomotive followed suit shortly afterward, but while the team’s attempt on the Tesla EV charger was successful, the vulnerability the team leveraged had been previously disclosed.
| Attempt | Category | Result |
|---|---|---|
| Sina Kheirkhah targeting the WOLFBOX Level 2 EV Charger | Electric Vehicle Chargers | Success |
| PHP Hooligans targeting the Tesla Wall Connector | Electric Vehicle Chargers | Success |
| Viettel Cyber Security targeting the ChargePoint Home Flex | Electric Vehicle Chargers | Success/Collision |
| The ZIEN, Inc. targeting the Kenwood DMX958XR | In-Vehicle Infotainment | Collision |
| ANHTUD targeting the Alpine iLX-507 | In-Vehicle Infotainment | Success |
| HT3 Labs targeting the Phoenix Contact CHARX SEC-3150 | Electric Vehicle Chargers | Success |
| PCAutomotive targeting the Tesla Wall Connector with the Charging Connector Protocol/Signal Manipulation add-on | Electric Vehicle Chargers | Collision |
| Sina Kheirkhah targeting the Autel MaxiCharger AC Wallbox Commercial | Electric Vehicle Chargers | Success/Collision |
| Pony 74 targeting the Kenwood DMX958XR | In-Vehicle Infotainment | Collision |
| GMO Cybersecurity by Ierae, Inc. targeting the Alpine iLX-507 | In-Vehicle Infotainment | Success |
| Rafal Goryl of PixiePoint Security targeting the WOLFBOX Level 2 EV Charger | Electric Vehicle Chargers | Success/Collision |
| PCAutomotive targeting the Sony XAV-AX8500 | In-Vehicle Infotainment | Success |
| fuzzware.io targeting the ChargePoint Home Flex in the Electric Vehicle Chargers | Electric Vehicle Chargers | Failure |
| Sina Kheirkhah targeting the Kenwood DMX958XR | In-Vehicle Infotainment | Success |
| Synacktiv targeting the Tesla Wall Connector in the Electric Vehicle with the Charging Connector Attack add-on | Electric Vehicle Chargers | Success |
| CIS Team targeting the Alpine iLX-507 | In-Vehicle Infotainment | Collision |
| PHP Hooligans targeting the WOLFBOX Level 2 EV Charger | Electric Vehicle Chargers | Failure |
| Viettel Cyber Security targeting the Sony XAV-AX8500 | In-Vehicle Infotainment | Collision |
| fuzzware.io targeting the EMPORIA EV Charger Level 2 | Electric Vehicle Chargers | Failure |
| Juurin Oy, Elias Ikkelä-Koski, and Aapo Oksman targeting the Kenwood DMX958XR | In-Vehicle Infotainment | Success |
| Sina Kheirkhah targeting the Tesla Wall Connector | Electric Vehicle Chargers | Collision |
| Compass Security targeting the Alpine iLX-507 | In-Vehicle Infotainment | Failure |
Table 1. The complete contest results of Pwn2Own Automotive 2025 day two
Note: An attempt is designated a “collision” if it involves a non-unique vulnerability (discovered by another researcher or previously known). An attempt marked as a “success/collision” involves a combination of unique and previously known vulnerabilities.
As with what they pulled off yesterday with the ChargePoint Home Flex (Model CPH50), the researchers from Synacktiv also had an add-on when they targeted the Tesla EV charger using a logic bug. For this noteworthy extra, they initiated the exploit directly from its charging connector, a mean feat that had likely never been demonstrated publicly.
Figure 2. The researchers from the Synacktiv team demonstrated an impressive exploit when they targeted the Tesla Wall Connector right from its charging connector.
Sina Kheirkhah from Summoning Team capped off the day with a two-bug chain exploit targeting the Tesla Wall Connector, but both vulnerabilities were already known to the vendor.
Attempts on IVI systems
Although more than half of today’s 22 targets were EV chargers, notable exploits were also unleashed on IVI systems.
PCAutomotive strung together three vulnerabilities — a heap overflow, an authentication bypass, and an improper isolation bug — into a chain that exploited the Sony XAV-AX8500 with zero clicks, an attack that required no user interaction to succeed.
Researchers from Pony 74, one of five teams from South Korea, made their debut on the Pwn2Own Automotive stage. They successfully exploited the Kenwood DMX958XR, but the vulnerability they used was already known.
Figure 3. The Pony 7 team galloped their way into the Kenwood DMX958XR, but their exploit was determined to be a collision.
They join an elite roster of automotive cybersecurity researchers from 13 countries coming together on a global stage where their groundbreaking discoveries not only earn recognition but also drive real-world impact — paving the way for a safer future for connected cars and software-defined vehicles (SDVs).
Stay tuned for updates from day three of Pwn2Own Automotive 2025 by following VicOne (LinkedIn, X, blog) and the ZDI (LinkedIn, X, blog).
With contributions from Dustin Childs of the ZDI
