Pwn2Own Automotive 2026 has officially come to an end, with security researchers earning a total of $1,047,000 after successfully exploiting 76 previously unknown security vulnerabilities.
The competition took place from January 21 to January 23 in Tokyo, Japan, alongside the Automotive World auto conference, and once again highlighted how complex and exposed modern vehicle technology has become.
The event focused entirely on automotive-related systems. Researchers targeted fully updated in-vehicle infotainment systems, electric vehicle charging stations, and car operating systems such as Automotive Grade Linux. All systems were considered fully patched before the contest began, making the successful attacks especially significant. Each vulnerability demonstrated during the competition was a zero-day flaw, meaning it was unknown to vendors before being exploited.
Team Fuzzware.io emerged as the top performer of the event, earning a total of $215,000. On the first day alone, the team collected $118,000 after hacking an Alpitronic HYC50 charging station, an Autel EV charger, and a Kenwood DNR1007XR navigation receiver. On the second day, they earned another $95,000 by demonstrating multiple zero-day exploits in EV charging equipment from Phoenix Contact, ChargePoint, and Grizzl-E. On the final day, they received an additional $2,500 after encountering a bug collision while attempting to gain root access on an Alpine multimedia receiver.
Second place went to Team DDOS, which earned $100,750 over the course of the competition. Synacktiv secured third place with $85,000 and also gained attention for a successful attack against Tesla’s infotainment system. The team earned $35,000 after chaining an information leak with an out-of-bounds write vulnerability to compromise the system through a USB-based attack.
As with all Pwn2Own events, the vulnerabilities discovered during the competition were responsibly disclosed. Vendors now have 90 days to fix the reported issues before technical details are made public through Trend Micro’s Zero Day Initiative. This disclosure window is designed to give manufacturers time to protect users before attackers can take advantage of the flaws.
The results of Pwn2Own Automotive 2026 show a clear trend. Connected vehicles and EV infrastructure are becoming increasingly attractive targets for security researchers and, potentially, real-world attackers. In previous years, researchers earned $1,323,750 at Pwn2Own Automotive 2024 after exploiting 49 zero-days, while the 2025 event saw payouts of $886,250 for another 49 vulnerabilities. The growing number of flaws and rising payouts reflect the expanding attack surface in modern vehicles.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
