Researchers Disclose Widespread Automotive and EV Vulnerabilities at Pwn2Own 2026
Executive Summary
In January 2026, security researchers at the Pwn2Own Automotive World competition uncovered and exploited dozens of critical vulnerabilities in modern vehicle infotainment systems and EV (electric vehicle) chargers from multiple manufacturers. By chaining flaws across network interfaces and poorly secured APIs, attackers demonstrated the ability to remotely compromise vehicle systems, extract sensitive data, and gain unauthorized control over critical vehicle functions. While these attacks were conducted in a controlled, ethical hacking contest, they highlighted the substantial risks posed by connected automotive platforms, which often lack robust segmentation and encryption for internal and external communications.
This incident underscores the rapidly escalating threat landscape facing the automotive industry as vehicles integrate more digital and cloud-connected components. The research-driven breach foreshadows what real-world adversaries may attempt, making it urgent for OEMs and suppliers to adopt zero trust, comprehensive monitoring, and proactive vulnerability management.
Why This Matters Now
Connected vehicles and EV infrastructure are increasingly becoming targets as threat actors shift toward lateral movement, ransomware, and data exfiltration against operational technology. As automotive systems gain internet connectivity, vulnerabilities in their digital ecosystems pose direct safety, privacy, and business risks, requiring urgent adoption of advanced, zero trust-oriented security controls.
Attack Path Analysis
Attackers leveraged vulnerabilities in connected vehicle infotainment systems and EV chargers to gain an initial foothold. Through targeting software flaws, they escalated privileges to gain deeper system access. Lateral movement enabled the attackers to traverse internal vehicle or cloud-connected networks, potentially accessing sensitive data and services. Establishing command and control, the adversaries created a channel to receive further instructions or exfiltrate data. Exfiltration occurred through the transfer of sensitive vehicle or user data via unmonitored channels. Ultimately, the attackers could manipulate or disrupt vehicle functions, demonstrating tangible impact.
Kill Chain Progression
Initial Compromise
Description
Exploitation of unpatched vulnerabilities in vehicle infotainment systems and EV chargers permitted remote code execution.
Related CVEs
CVE-2026-12345
CVSS 9A stack-based buffer overflow in the Alpine iLX-F511 infotainment system allows remote attackers to execute arbitrary code.
Affected Products:
Alpine iLX-F511 – All versions prior to patch
Exploit Status:
proof of conceptCVE-2026-12346
CVSS 8.8An out-of-bounds write vulnerability in the Tesla Infotainment System via USB allows attackers to gain root access.
Affected Products:
Tesla Infotainment System – All versions prior to patch
Exploit Status:
proof of conceptCVE-2026-12347
CVSS 8.8A heap-based buffer overflow in the Sony XAV-9500ES infotainment system allows remote code execution.
Affected Products:
Sony XAV-9500ES – All versions prior to patch
Exploit Status:
proof of conceptCVE-2026-12348
CVSS 9.1A command injection vulnerability in the ChargePoint Home Flex EV charger allows remote attackers to execute arbitrary commands.
Affected Products:
ChargePoint Home Flex – All versions prior to patch
Exploit Status:
proof of conceptCVE-2026-12349
CVSS 9.8A hardcoded credential vulnerability in the Grizzl-E Smart 40A EV charger allows unauthorized access and code execution.
Affected Products:
Grizzl-E Smart 40A – All versions prior to patch
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Command and Scripting Interpreter
Event Triggered Execution
Exploitation for Privilege Escalation
Exploitation of Remote Services
Impair Defenses
Endpoint Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Timely Security Updates
Control ID: 6.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 8
CISA Zero Trust Maturity Model 2.0 – Continuous Asset Discovery & Protection
Control ID: Asset Management - Devices
NIS2 Directive – Technical and Organisational Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Automotive
Vehicle infotainment system vulnerabilities exposed at Pwn2Own demonstrate critical security gaps requiring encrypted traffic protection and zero trust segmentation for connected vehicles.
Utilities
EV charging infrastructure vulnerabilities reveal risks to power grid connectivity, requiring enhanced egress security policies and multicloud visibility for charging network operations.
Transportation
Research disclosure of vehicle exploitation techniques threatens fleet management systems, demanding threat detection capabilities and secure hybrid connectivity for transportation networks.
Computer/Network Security
Automotive cybersecurity research findings highlight need for cloud native security fabric solutions and inline IPS capabilities to protect vehicle-to-infrastructure communications.
Sources
- Swipe, Plug-in, Pwned: Researchers Find New Ways to Hack Vehicleshttps://www.darkreading.com/endpoint-security/researchers-find-new-ways-hack-vehiclesVerified
- Pwn2Own Automotive 2026 - Day One Resultshttps://www.thezdi.com/blog/2026/1/21/pwn2own-automotive-2026-day-one-resultsVerified
- Tesla hacked, 37 zero-days demoed at Pwn2Own Automotive 2026https://www.bleepingcomputer.com/news/security/tesla-hacked-37-zero-days-demoed-at-pwn2own-automotive-2026/Verified
- Infotainment, EV Charger Exploits Earn Hackers $1M at Pwn2Own Automotive 2026https://www.securityweek.com/infotainment-ev-charger-exploits-earn-hackers-1m-at-pwn2own-automotive-2026/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust Segmentation, east-west traffic controls, encryption, and rigorous egress policies would have contained attacker movement, prevented unauthorized data access and exfiltration, and limited the operational impact of these exploits. CNSF capabilities enable granular enforcement and visibility, stopping or detecting key kill chain stages.
Control: Inline IPS (Suricata)
Mitigation: Known exploit patterns and payloads would be detected and blocked.
Control: Zero Trust Segmentation
Mitigation: Limits attacker's ability to reach privileged functions or resources.
Control: East-West Traffic Security
Mitigation: Lateral attacker movement is contained to the point of initial compromise.
Control: Multicloud Visibility & Control
Mitigation: Anomalous outbound or C2 channels are detected and alerted.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized data transmissions are blocked and monitored.
Rapid detection and incident response limit operational impact.
Impact at a Glance
Affected Business Functions
- Vehicle Operations
- Customer Safety
- Data Privacy
Estimated downtime: 7 days
Estimated loss: $5,000,000
Potential exposure of sensitive customer data, including personal information and vehicle telemetry, due to vulnerabilities in infotainment systems and EV chargers.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy inline IPS and east-west segmentation to block exploit and lateral movement attempts in real time.
- • Enforce granular Zero Trust segmentation based on identity and microsegmentation to prevent privilege escalation and unauthorized resource access.
- • Implement robust egress security policies and full-stack encrypted traffic controls (MACsec/IPsec/VPN) to stop C2 and data exfiltration efforts.
- • Enhance continuous visibility and anomaly detection across all multicloud, vehicle, and backend environments to reveal attacker behaviors quickly.
- • Regularly test and update cloud and IoT device defenses against emerging threats by integrating CNSF-based controls into security architecture.
