**HACKERS EXPLOIT 29 ZERO-DAYS ON SECOND DAY OF PWNT2OWN AUTOMOTIVE**
The second day of Pwn2Own Automotive 2026 saw a flurry of activity as security researchers collected $439,250 in cash awards after exploiting 29 unique zero-days. The competition, which focuses on automotive technologies, is taking place this week in Tokyo, Japan, from January 21 to January 23, during the Automotive World auto conference.
The Pwn2Own Automotive hacking contest targets fully patched electric vehicle (EV) chargers, in-vehicle infotainment (IVI) systems, and car operating systems (e.g., Automotive Grade Linux). Fuzzware.io currently leads the competition's leaderboard with $213,000 earned after the first two days. The team has also earned another $95,000 by hacking the Phoenix Contact CHARX SEC-3150 charging controller, the ChargePoint Home Flex EV charger, and the Grizzl-E Smart 40A EV charging station.
Sina Kheirkhah of Summoning Team collected another $40,000 after rooting the Kenwood DNR1007XR navigation receiver, the ChargePoint Home Flex, and the Alpine iLX-F511 multimedia receiver. Rob Blakely of Technical Debt Collectors and Hank Chen of InnoEdge Labs were also awarded $40,000 each after demonstrating zero-day exploit chains targeting Automotive Grade Linux and the Alpitronic HYC50 charging station.
After the first two days of the contest, security researchers have earned a total of $955,750 in cash awards after exploiting 66 zero-day vulnerabilities. The competition will continue on its third day, with the Grizzl-E Smart 40A targeted again by Slow Horses of Qrious Secure and the PetoWorks team, while the Juurin Oy team will go after the Alpitronic HYC50, and Ryo Kato will attempt to exploit the Autel MaxiCharger.
On the first day of the competition, Synacktiv Team earned $35,000 after successfully chaining an information leak and an out-of-bounds write flaw to obtain root permissions on the Tesla Infotainment System via a USB-based attack. The team also collected an additional $20,000 cash award for chaining three zero-day flaws to gain root-level code execution on the Sony XAV-9500ES digital media receiver.
The full schedule for the second day and the results for each challenge are available here, while the complete schedule for Pwn2Own Automotive 2026 is available here.
Last year's Pwn2Own Automotive competition saw hackers collect $886,250 after exploiting 49 zero-days. The previous year, during the Pwn2Own Automotive 2024 contest, they collected another $1,323,750 after demoing 49 zero-day bugs and hacking a Tesla car twice.
Vendors have 90 days to develop and release security fixes for zero-day flaws that are exploited and reported during the Pwn2Own contest, before TrendMicro's Zero Day Initiative publicly discloses them.