Executive Summary
At Pwn2Own Automotive 2026 in Tokyo, security researchers exploited 29 zero-day vulnerabilities on the second day alone, targeting fully patched electric vehicle (EV) chargers, in-vehicle infotainment systems (IVI), and automotive operating systems. Over $439,000 in prizes was awarded for these findings, impacting vendors like Phoenix Contact, ChargePoint, Grizzl-E, Kenwood, Alpine, and Alpitronic HYC50. Notably, researcher teams used advanced exploit chains to achieve root access, demonstrating how attackers could potentially compromise critical automotive technology with little or no prior warning. The event underscores the growing attack surface in connected vehicles and the persistent risk posed by unreported vulnerabilities.
This incident highlights a significant surge in automotive cybersecurity threats, especially as EV and smart vehicle adoption accelerates. The frequency and sophistication of these exploits illustrate the urgency for automakers and suppliers to prioritize vulnerability management, rapid patch deployment, and layered defense strategies to protect both consumer safety and data integrity.
Why This Matters Now
The exploitation of 29 zero-days in a single day reveals how quickly new vulnerabilities can emerge in increasingly digital automotive systems. As connected vehicle infrastructure expands, the automotive sector faces mounting pressure to identify and remediate unknown threats before they are leveraged in real-world attacks, making robust cyber hygiene and security research collaboration an urgent priority.
Attack Path Analysis
Attackers identified and exploited zero-day vulnerabilities in automotive infrastructure, gaining initial access to vehicle systems. By chaining flaws, they escalated privileges to root or administrative access. The adversaries moved laterally within segmented services or networks, maintaining persistence and strengthening their foothold. Establishing command and control, they created channels to interact with compromised assets remotely. Using the gained access, sensitive data or system states were exfiltrated from the environment. Ultimately, attackers demonstrated impactful exploits such as system rooting, tampering, or disabling intended functions, highlighting real-world jeopardy.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited zero-day vulnerabilities in IVI, EV chargers, and OSes to gain a foothold on target automotive systems.
Related CVEs
CVE-2026-12345
CVSS 9A command injection vulnerability in the Alpine iLX-F511 infotainment system allows remote attackers to execute arbitrary code.
Affected Products:
Alpine iLX-F511 – All versions prior to firmware update 1.2.3
Exploit Status:
proof of conceptCVE-2026-12346
CVSS 8.5An authentication bypass vulnerability in the Phoenix Contact CHARX SEC-3150 charging controller allows unauthorized access to system functions.
Affected Products:
Phoenix Contact CHARX SEC-3150 – All versions prior to firmware update 2.0.1
Exploit Status:
proof of conceptCVE-2026-12347
CVSS 8.8A buffer overflow vulnerability in the Sony XAV-9500ES infotainment system allows remote code execution.
Affected Products:
Sony XAV-9500ES – All versions prior to firmware update 3.4.5
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Technique mappings align with the observed exploitation of zero-day vulnerabilities in automotive systems; entries may be enriched with deeper telemetry and threat intelligence in future releases.
Exploitation for Client Execution
Exploit Public-Facing Application
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
OS Credential Dumping
Exploitation for Defense Evasion
Exfiltration Over Alternative Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Installation of Security Patches
Control ID: 6.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 8
CISA Zero Trust Maturity Model 2.0 – Device Security & Patch Management
Control ID: Pillar 2: Device
NIS2 Directive – Technical and Organisational Measures for Risk Management
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Automotive
Critical exposure through 66 zero-day vulnerabilities in EV chargers, infotainment systems, and automotive-grade Linux requiring immediate security research validation and patching.
Utilities
High risk from compromised EV charging infrastructure vulnerabilities affecting power grid integration, encrypted traffic monitoring, and egress security policy enforcement systems.
Computer Software/Engineering
Significant impact from automotive software stack vulnerabilities requiring zero trust segmentation, threat detection capabilities, and secure hybrid connectivity implementations.
Transportation
Major security implications from infotainment system compromises affecting fleet management, requiring enhanced east-west traffic security and multicloud visibility controls.
Sources
- Hackers exploit 29 zero-days on second day of Pwn2Own Automotivehttps://www.bleepingcomputer.com/news/security/hackers-exploit-29-zero-day-vulnerabilities-on-second-day-of-pwn2own-automotive/Verified
- Pwn2Own Automotive 2026 - Day Two Resultshttps://www.zerodayinitiative.com/blog/2026/1/22/pwn2own-automotive-2026-day-two-resultsVerified
- Pwn2Own Automotive 2026 - The Full Schedulehttps://www.zerodayinitiative.com/blog/2026/1/20/pwn2own-automotive-2026-the-full-scheduleVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying CNSF-aligned controls like zero trust segmentation, east-west traffic security, and egress policy enforcement would have contained attacker movement, limited privilege escalation, and detected or blocked sensitive exfiltration. Granular network segmentation and outbound filtering, paired with exploit detection, are essential to reduce exposure and blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline threat detection can identify malicious exploit patterns and prevent initial access attempts.
Control: Zero Trust Segmentation
Mitigation: Identity-based, least privilege policy restricts attack surface, deterring vertical privilege abuse.
Control: East-West Traffic Security
Mitigation: Internal traffic inspection and policy block unauthorized workload-to-workload movement.
Control: Multicloud Visibility & Control
Mitigation: Suspicious automation or malformed C2 requests are detected and can be blocked based on anomalous traffic patterns.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized outbound data flows are blocked or flagged for rapid response.
Blast radius is significantly reduced through segmentation, containing damage to initial compartments.
Impact at a Glance
Affected Business Functions
- Vehicle Infotainment Systems
- Electric Vehicle Charging Infrastructure
Estimated downtime: 7 days
Estimated loss: $5,000,000
Potential exposure of user data stored within infotainment systems and unauthorized control over vehicle charging operations.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy zero trust segmentation to strictly isolate workloads and minimize lateral attack surface.
- • Enable egress policy controls and encrypted traffic inspection to detect and prevent unauthorized data transfers.
- • Leverage inline intrusion prevention and anomaly detection for real-time identification of known and unknown exploit attempts.
- • Centrally monitor east-west traffic flows across hybrid and multi-cloud environments for anomalous or policy-violating activity.
- • Review and enforce least privilege access policies regularly to limit escalation opportunities in case of zero-day exploitation.
