Day Two of Pwn2Own Automotive 2026 kicked off with high intensity, as security researchers targeted automotive infotainment systems, EV chargers, and gateways.
Building on Day One’s momentum, teams demonstrated 37 unique zero-day vulnerabilities, earning over $516,500 in bounties.
The Zero Day Initiative (ZDI) event highlights critical flaws in vehicle tech, from command injections to buffer overflows, urging vendors to patch before real-world exploits emerge.
Standout hacks showcased chaining techniques and add-ons like Charging Connector Protocol/Signal Manipulation.
Master of Pwn points tallied early, with Fuzzware.io leading through multi-bug chains. Follow updates on ZDI’s social channels with #Pwn2Own and #P2OAuto.
Key Day Two Exploits and Payouts
Team MAMMOTH (Inhyung Lee, Seokhun Lee, Chulhan Park, Wooseok Kim, Yeonseok Jang) opened with a command injection in the Alpine iLX-F511 head unit.
Their exploit granted unauthorized access, netting $10,000 and 2 Master of Pwn points.
Later collisions on the same target by Nguyen Thanh Dat (Viettel Cyber Security), Kazuki Furukawa (GMO Cybersecurity), Slow Horses (Qrious Secure), and Sina Kheirkhah (Summoning Team) earned $2,500 each and 1 point per team, highlighting repeated weak spots in Alpine’s firmware.
Julien Cohen-Scali of FuzzingLabs chained an authentication bypass with privilege escalation on the Phoenix Contact CHARX SEC-3150 EV charger. This duo allowed remote code execution, worth $20,000 and 4 points.
Fuzzware.io (Tobias Scharnowski, Felix Buchmann, Kristian Covic) escalated with a three-bug chain out-of-bounds read, memory exhaustion, and heap overflow on Automotive Grade Linux, pocketing $40,000 and 4 points.
They also hit the ChargePoint Home Flex (CPH50-K) via command injection ($30,000, 5 points) and multiple collisions on Grizzl-E Smart 40A.
Buffer overflows proved popular. Neodyme AG exploited CWE-120 in the Sony XAV-9500ES for privileged execution ($10,000, 2 points).
Hank Chen (InnoEdge Labs) exposed a dangerous method in Alpitronic HYC50 – Lab Mode ($40,000, 4 points), matched by Xilokar’s single-bug root access ($20,000, 4 points).
Collisions added nuance. BoredPentester chained two bugs on Grizzl-E Smart 40A ($20,000, 3 points), then command injected Kenwood DNR1007XR ($5,000, 2 points).
Team DDOS (Bongeun Koo, Evangelos Daravigkas) hit n-day command injection on Kenwood ($4,000, 1 point) and a six-bug chain on Phoenix CHARX with collision ($19,250, 4.75 points).
BoB::Takedown combined a collision and zero-day on Grizzl-E ($15,000, 3 points), while PHP Hooligans/Midnight Blue fully collided a two-bug Autel MaxiCharger chain ($20,000, 3 points).
Synacktiv stacked a buffer overflow on Autel MaxiCharger with signal manipulation ($30,000, 5 points). Summoning Team’s Sina Kheirkhah doubled up: two bugs on ChargePoint ($30,000, 5 points) and root via dual vulns on Alpine ($5,000, 2 points).
ZIEN, Inc. (Hyeonjun Lee et al.) chained symlink following and command injection on ChargePoint, despite collision ($16,750, 3.5 points).
Evan Grant scored collision payouts on Grizzl-E ($15,000, 3 points), and PetoWorks/78ResearchLab nabbed Kenwood collisions ($2,500 each, 1 point).
Failures included Autocrypt’s timeouts on Grizzl-E and Autel targets, and PetoWorks on Alpine.
Implications For Automotive Security
These demos expose persistent issues in connected car ecosystems. Command injections dominated infotainment (Alpine, Kenwood, Sony), enabling remote control.
EV chargers like ChargePoint, Grizzl-E, and Phoenix fell to protocol manipulations and overflows, risking physical tampering or grid attacks. Chained exploits amplified impact, often achieving root or privileged execution.
ZDI coordinates disclosures, ensuring patches reach vendors like Alpine, Sony, and ChargePoint.
Total prizes underscore rising stakes $516,500 for 37 zero-days signals automotive hacking’s lucrativeness. As Master of Pwn race continues, expect more revelations on supply chain risks and fuzzing-driven finds.
Event takeaways: Prioritize input validation, auth hardening, and bounded memory ops.
Researchers like Fuzzware.io and Summoning Team dominate via systematic chaining. Stay tuned for final standings and full advisories.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.