
In a remarkable display of cybersecurity expertise, researchers uncovered 16 zero-day vulnerabilities and earned $382,750 in prizes during day one of Pwn2Own Automotive 2025 in Tokyo.
Leading the competition, Fuzzware.io successfully exploited vulnerabilities in the Autel MaxiCharger and Phoenix Contact CHARX SEC-3150 EV chargers, securing $50,000 and 10 Master of Pwn points. Their discoveries included a stack-based buffer overflow and an origin validation error.
Sina Kheirkhah of Summoning Team claimed second place, earning $91,750 and 9.25 points by exploiting Ubiquiti and Phoenix Contact chargers through hard-coded cryptographic key vulnerabilities and multiple zero-days.
The Synacktiv Team secured third place with $57,500 after demonstrating an OCPP protocol vulnerability in the ChargePoint Home Flex. Other notable achievements included PHP Hooligans’ successful exploitation of an Autel charger ($50,000) and Viettel Cyber Security’s hack of a Kenwood In-Vehicle Infotainment system ($20,000).
The competition, running from January 22-24 during the Automotive World conference, focuses on EV chargers, infotainment systems, and car operating systems. Vendors have 90 days to patch reported vulnerabilities before public disclosure by TrendMicro’s Zero Day Initiative.
This follows the successful 2024 edition, where researchers earned $1,323,750 for demonstrating 49 zero-day vulnerabilities in various electric car systems, highlighting the growing importance of automotive cybersecurity.