Executive Summary
Between January 21–23, 2026, the Pwn2Own Automotive competition in Tokyo saw security researchers demonstrate a record-breaking 76 zero-day vulnerabilities across in-vehicle infotainment systems (IVIs), electric vehicle chargers, and automotive operating systems, including high-profile exploits against Tesla, Alpitronic, Autel, Kenwood, and other leading manufacturers. Teams leveraged physical and remote attack vectors, with notable attacks including USB-based chaining to breach Tesla’s infotainment system. The event awarded $1,047,000 in prizes, underscoring significant risks within connected automotive infrastructure. Vendors now have 90 days to issue security patches before public disclosure.
This incident highlights a concerning rise in exploitable vulnerabilities within rapidly digitalizing automotive ecosystems. As vehicles integrate more software-driven services and connected devices, adversaries and researchers alike are increasingly shifting focus toward automotive cyberattacks—driving new urgency for robust segmentation, secure update mechanisms, and continuous monitoring.
Why This Matters Now
The scale of zero-days unveiled at Pwn2Own Automotive 2026 reveals the expanding attack surface in connected vehicles and infrastructure. With automotive digitalization accelerating, timely mitigation and disclosure are critical to prevent weaponization of these vulnerabilities by malicious actors. Manufacturers and suppliers must prioritize proactive security engineering to protect consumer safety and regulatory compliance.
Attack Path Analysis
Attackers began by exploiting zero-day vulnerabilities in connected automotive IVI systems, charging stations, and car OS platforms to gain initial access. Once inside, adversaries escalated privileges via flaws enabling code execution or root compromise. Lateral movement allowed navigation between components, for instance from infotainment systems to critical controllers or across multi-cloud workloads. The attackers established command and control through persistent access, using custom or covert channels for remote interaction. Sensitive data exfiltration was staged over the network, potentially including vehicle telemetry, user data, or firmware. The impact included demonstrating unauthorized control, data leakage, or service disruption for the targeted systems.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited zero-day flaws in automotive IVI systems, EV chargers, or OSes to gain initial foothold, often via exposed interfaces or direct device access.
Related CVEs
CVE-2026-21635
CVSS 7.5An improper access control vulnerability in EV Station Lite v1.5.2 and earlier allows a malicious actor within Wi-Fi range to utilize the WiFi AutoLink feature on devices adopted via Ethernet.
Affected Products:
Ubiquiti EV Station Lite – v1.5.2 and earlier
Exploit Status:
proof of conceptCVE-2022-43958
CVSS 7.6Siemens QMS Automotive stores user credentials in plaintext within the database, allowing attackers to read credentials and impersonate authorized users.
Affected Products:
Siemens QMS Automotive – All versions
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Techniques identified are mapped to relevant MITRE ATT&CK TTPs observed or inferred in automotive technology exploit scenarios; further enrichment with full STIX/TAXII data is planned.
Hardware Additions
Exploit Public-Facing Application
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Endpoint Denial of Service
Direct Volume Access
Credentials from Password Stores
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components After Changes
Control ID: 6.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 10
CISA ZTMM 2.0 – Inventory and Security of Connected Devices
Control ID: Device Security - Asset Management
NIS2 Directive – Technical and Organizational Measures for Security of Network and Information Systems
Control ID: Article 21.2
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Automotive
Critical exposure as Pwn2Own Automotive 2026 demonstrated 76 zero-days in EV chargers, infotainment systems, and automotive operating systems requiring immediate security upgrades.
Utilities
High risk from EV charging infrastructure vulnerabilities affecting power grid operations, with demonstrated exploits in multiple charging station controllers and smart charging systems.
Transportation
Significant impact from navigation and fleet management system vulnerabilities, with Tesla and multimedia receiver compromises exposing commercial transportation infrastructure to cyberattacks.
Electrical/Electronic Manufacturing
Direct exposure through compromised automotive-grade components and charging equipment, requiring enhanced security measures in manufacturing processes and supply chain validation protocols.
Sources
- Hackers get $1,047,000 for 76 zero-days at Pwn2Own Automotive 2026https://www.bleepingcomputer.com/news/security/hackers-get-1-047-000-for-76-zero-days-at-pwn2own-automotive-2026/Verified
- Security Advisory Bulletin 059https://community.ui.com/releases/Security-Advisory-Bulletin-059/0c0b7f7a-68b7-41b9-987e-554f4b40e0e6Verified
- Siemens QMS Automotive | CISAhttps://www.cisa.gov/news-events/ics-advisories/icsa-22-314-06Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying CNSF and Zero Trust controls such as segmentation, workload and traffic isolation, egress filtering, and strong policy enforcement would have contained attacker movement, limited data exposure, and reduced the success of privilege escalation and exfiltration during these multi-vector exploits.
Control: Inline IPS (Suricata)
Mitigation: Known exploit payloads or suspicious traffic would be detected and blocked before initial code execution.
Control: Zero Trust Segmentation
Mitigation: Prevents attackers from abusing local privilege escalation to access broader resources.
Control: East-West Traffic Security
Mitigation: Limits or blocks unauthorized internal connections used for lateral movement.
Control: Multicloud Visibility & Control
Mitigation: Anomalous or covert command and control channels can be rapidly detected and investigated.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks data exfiltration attempts to unauthorized destinations.
Real-time policy enforcement minimizes material impact and facilitates rapid containment.
Impact at a Glance
Affected Business Functions
- Vehicle Charging Operations
- In-Vehicle Infotainment Systems
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of user credentials stored in plaintext, leading to unauthorized access and impersonation.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy inline IPS controls to actively detect and block known exploit payloads targeting exposed cloud and automotive workloads.
- • Enforce microsegmentation and strict east-west policy to isolate workloads and minimize lateral movement opportunities.
- • Implement centralized, real-time observability across multi-cloud and edge assets to rapidly surface anomalies and C2 behaviors.
- • Apply outbound (egress) filtering with granular rules and full traffic encryption to block data exfiltration and unauthorized communications.
- • Integrate cloud-native security fabric controls for distributed enforcement and policy automation to contain threats and support rapid incident response.
