On the opening day of Pwn2Own Automotive 2025, hackers successfully exploited 16 zero-day vulnerabilities, amassing a total of $382,750 in prizes.

Top Performers and Exploits

Fuzzware.io emerged as the front-runner by breaching the Autel MaxiCharger and Phoenix Contact CHARX SEC-3150 electric vehicle chargers. Utilizing a stack-based buffer overflow and origin validation error, they earned $50,000 and 10 Master of Pwn points.

Sina Kheirkhah from the Summoning Team secured $91,750 and 9.25 Master of Pwn points. They targeted the Ubiquiti and Phoenix Contact CHARX SEC-3150 EV chargers with a hard-coded cryptographic key exploit and a trio of zero-days.

Synacktiv Team positioned third by demonstrating a flaw in the OCPP protocol, leading to the hacking of the ChargePoint Home Flex (Model CPH50) through signal manipulation. They received $57,500.

PHP Hooligans capitalized on a heap-based buffer overflow to compromise an Autel charger, resulting in a $50,000 prize. Meanwhile, Viettel Cyber Security earned $20,000 by executing code on Kenwood’s In-Vehicle Infotainment using an OS command injection zero-day.

Vendor Response and Competition Overview

Following the competition, vendors have a 90-day window to issue security patches before public disclosure by TrendMicro’s Zero Day Initiative.

The Pwn2Own Automotive 2025, held from January 22 to 24 in Tokyo, is part of the Automotive World conference. Participants focus on various automotive technologies, including EV chargers, in-vehicle infotainment, and automotive operating systems.

While Tesla entered a Model 3/Y benchtop unit, attempts were limited to the company’s wall connector. The complete schedule and detailed results are available online.

Historical Context and Notable Achievements

In its inaugural edition in January 2024, Pwn2Own Automotive awarded hackers $1,323,750 for successes, including multiple Tesla hacks and 49 zero-day vulnerabilities.

Later, at Pwn2Own Vancouver 2024, security experts garnered $1,132,500 by exploiting 29 zero-days. Notably, Synacktiv won $200,000 and a Tesla Model 3 for a rapid Vehicle CAN BUS Control hack.