Pwn2Own Automotive 2026 Day 2: Researchers Land 29 New Zero-Day Exploits Across EV Chargers, IVI Systems, and Automotive Grade Linux
Security researchers earned $439,250 on the second day of Pwn2Own Automotive 2026 after demonstrating 29 unique zero-day exploits in Tokyo. Here is what was hit, why it matters outside the stage, and how defenders should prepare before fixes arrive.
Zero-days exploited on Day 2
Prize money awarded Day 2
Total zero-days after two days
Total prize money after two days
Record contest participation
29 Zero-Day Vulnerabilities Exposed in EV Chargers, IVI, and Automotive Linux
The second day of Pwn2Own Automotive 2026 in Tokyo turned into a blunt reminder that modern vehicles are no longer "cars with computers," but distributed computing platforms that happen to move. Researchers collected $439,250 for 29 unique zero-day vulnerabilities demonstrated against automotive-adjacent targets including EV charging controllers, home chargers, IVI head units, and Automotive Grade Linux.
For defenders, the headline is not just the number of bugs. It is the concentration of exploit paths into components that bridge physical systems (charging, power delivery, in-vehicle networks) and enterprise systems (cloud management, operator portals, fleet telemetry).
Pwn2Own Automotive runs January 21–23, 2026 at Automotive World in Tokyo, and the contest's design is intentionally uncomfortable for vendors: targets are "fully patched," and winning chains must demonstrate meaningful impact such as code execution or sensitive data access, under strict rules that exclude unrealistic assumptions like broad man-in-the-middle control of external infrastructure.
What Was Exploited and Why the Details Matter
Day 2 results matter most when you look past the scoreboard and into the recurring themes: command injection, authentication bypass, exposed "dangerous methods," and memory-safety failures that still show up in embedded and semi-embedded environments.
ZDI's Day 2 write-up documents successful demonstrations across targets such as:
| Target | Type | Vulnerability Class |
|---|---|---|
| Alpine iLX-F511 | IVI system | Command injection |
| Kenwood DNR1007XR | Navigation receiver | N-day command injection |
| Sony XAV-9500ES | Media receiver | Buffer overflow |
| Phoenix Contact CHARX SEC-3150 | Charging controller | Auth bypass + privilege escalation |
| ChargePoint Home Flex (CPH50-K) | Home charger | Command injection |
| Grizzl-E Smart 40A | Charging station | Multiple collisions |
| Alpitronic HYC50 (Lab Mode) | Fast charger | Lab mode exploit |
| Automotive Grade Linux | OS | Chained exploit |
One of the most operationally relevant nuances from Day 2 is the mix of true "0-days" and collisions (where a later team hits the same underlying issue) alongside at least one explicitly labeled n-day command injection. Collisions are not trivial bookkeeping. They are a signal that multiple independent researchers converge on the same weak seams, often because the seam is structural.
Why 29 Automotive Zero-Days Are More Than "Conference News"
It is tempting to treat Pwn2Own results as a lab-only spectacle. That is a mistake, particularly for EV charging infrastructure and software-defined vehicles.
EV chargers are cyber-physical systems that blend authentication, payment or identity logic, remote management, and power control. When researchers demonstrate exploit chains paired with contest "add-ons" such as charging connector protocol or signal manipulation, they are effectively proving the feasibility of moving from a software foothold into behavior changes at the boundary where electricity meets business logic.
In real environments, the blast radius might not be "the grid collapses," but it can be very tangible:
- Disrupted charging sessions
- Denial of service at high-traffic sites
- Fraudulent session behavior
- Tampering with telemetry that drives billing disputes
- Lateral movement into networks that operators assumed were isolated
IVI systems and automotive operating systems are a different category of risk, but the business impact can be just as severe. IVI is often the most user-facing compute surface in a vehicle, exposed to USB, Bluetooth, media parsing, and integration services.
The Targets Tell a Story: EVSE, Open Standards, and the Hidden Supply Chain
Pwn2Own Automotive 2026 is structured into six categories:
- Tesla
- In-Vehicle Infotainment (IVI)
- Level 3 EV chargers
- Level 2 EV chargers
- Open Charge Alliance
- Operating Systems
This taxonomy is a roadmap of where the industry's exposure is converging. The inclusion of Open Charge Alliance is particularly telling because EV charging security is no longer just about a single vendor's firmware. It is about ecosystems, interoperability, and standardized protocols.
ZDI described a record 73 entries for the contest. More entries are not just "more fun." They are a proxy for researcher interest, which tends to track where exploitation is feasible, where the supply chain is complex enough to hide bugs, and where the commercial stakes are rising.
Patch Window Reality: What Happens After the Applause
Day 2 ended with an important cumulative statistic: 66 unique zero-days exploited across the first two days, and $955,750 awarded. Those numbers define the patch workload that vendors and partners now have to digest, reproduce, triage, and fix while coordinating across supply chains that were not built for rapid security turnaround.
Vendors are given time (commonly framed as a 90-day window) to develop and release fixes before ZDI publicly discloses exploited issues. In practice, the harder problem is not "a patch exists." It is "a patch reaches the field."
What Security Teams Should Do Now
Most organizations reading contest results will not be able to patch anything immediately. That does not mean you should wait passively:
- Validate your asset inventory for EVSE and in-vehicle components
- Map affected product families in your environment (ChargePoint Home Flex, charging controllers, etc.)
- Harden management networks and remote administration portals
- Segment EVSE operations from enterprise networks
- Enforce strict outbound allow-lists
- Centralize logs from charger management systems with anomaly detection
- Disable debug modes in the field unless you can guarantee strong authentication
- Rehearse the patch cycle: test rings, rollback strategies, staged deployments
Affected Organizations
Alpine (iLX-F511 IVI system)
Impact: Demonstrated exploit paths included command injection and other weakness classes leading to elevated execution in the IVI environment; relevant for long-lived in-vehicle deployments. Industry: Automotive supplier | Severity: High
Kenwood (DNR1007XR navigation receiver)
Impact: Command injection paths were successfully demonstrated, including an attempt described as an n-day in the contest reporting. Industry: Automotive electronics | Severity: High
Sony (XAV-9500ES media receiver)
Impact: Privileged code execution was demonstrated via a buffer overflow class vulnerability in contest conditions. Industry: Automotive electronics | Severity: High
Phoenix Contact (CHARX SEC-3150 charging controller)
Impact: Demonstrations included exploit chains such as authentication bypass combined with privilege escalation; relevant to EVSE control components. Industry: Industrial/EVSE | Severity: Critical
ChargePoint (Home Flex, model CPH50-K)
Impact: Multiple successful attempts were reported, including command injection behaviors under contest add-on conditions. Industry: EV charging | Severity: Critical
Grizzl-E (Smart 40A charging station)
Impact: Multiple attempts and collisions occurred; successful demonstrations indicate repeated interest and potential pattern weaknesses. Industry: EV charging | Severity: High
Alpitronic (HYC50 charging station, Lab Mode)
Impact: A successful exploit was reported against "Lab Mode," highlighting the risk of exposed service features in the field. Industry: EV fast charging | Severity: High
Autel (MaxiCharger AC Elite Home 40A)
Impact: Successful demonstrations were reported, reinforcing EVSE exploitability under real-world oriented contest constraints. Industry: EV charging | Severity: High
Automotive Grade Linux (AGL)
Impact: A chained exploit path was demonstrated, relevant due to AGL's role as a shared OS substrate in automotive ecosystems. Industry: Automotive software | Severity: Critical
Closing
Day 2 of Pwn2Own Automotive 2026 is not just a collection of impressive demos; it is a measurable snapshot of where automotive and EV charging security is failing under modern stress. With 29 additional zero-days and 66 unique vulnerabilities in two days, the contest is effectively mapping the industry's weakest seams, from command injection and authentication failures to memory safety flaws and dangerous service capabilities.
The organizations that will weather the next disclosure cycle best are the ones that treat today as the start of a preparedness sprint: inventory, isolate, monitor, and rehearse patch operations now, so that when fixes land, exposure does not linger in the field for months.
Frequently Asked Questions
Not necessarily. These exploits were demonstrated in a controlled contest setting by researchers, not criminal actors. However, the demonstrations prove exploitability and commonly highlight design patterns that adversaries later reuse. Treat it as early warning that patch and hardening work will be needed once vendors ship fixes.
EV chargers sit at the boundary between cyber systems and power delivery, often with remote management and protocol-driven control. That combination makes them attractive for disruption, fraud, or as a foothold into adjacent networks. The contest's category structure reflects this reality by explicitly targeting Level 2 and Level 3 charging ecosystems.
AGL is an open-source operating system stack used by automotive ecosystems for infotainment and related functions. When exploit chains succeed against an OS platform, the risk can become systemic because multiple products may share the same upstream code paths. Day 2 included a successful chain targeting Automotive Grade Linux, underscoring the need for disciplined upstream patching and downstream integration hygiene.
Pwn2Own disclosures are coordinated; vendors generally receive time to produce fixes before full public disclosure. That means defenders may see advisories and patches before deep exploit details emerge. Use the window to inventory exposure and strengthen monitoring and segmentation so that patch delays do not become incidents.
Confirm your deployed models and firmware provenance, tighten access to management interfaces, and segregate charger operations from enterprise IT. Increase logging and alerting for suspicious configuration changes and authentication anomalies. Prepare a staged patch plan so you can deploy updates quickly once vendors release them.
A collision indicates multiple researchers independently reached the same underlying weakness, which often points to a structural flaw in design or implementation. An n-day showing up is a warning that patch propagation and lifecycle management are inconsistent, creating long-lived windows where attackers can rely on known bugs. Both are signals to improve update governance, not just to wait for a CVE.
Comments
Want to join the discussion?
Create an account to unlock exclusive member content, save your favorite articles, and join our community of IT professionals.
New here? Create a free account to get started.