Trend Micro’s Zero Day Initiative (ZDI) announced that $380K was awarded on Day 1 of Pwn2Own Automotive 2025.
Trend Micro’s Zero Day Initiative (ZDI) announced that over $380,000 was awarded on Day 1 of Pwn2Own Automotive 2025, a hacking contest that was held in Tokyo.
In total, the organizers awarded $382,750 for 16 unique working zero-day exploits targeting infotainment systems, electric vehicle (EV) chargers, and automotive operating systems. The team fuzzware.io (composed of Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege)) earned $50000 and received 10 Master of Pwn points.
Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) received the biggest reward, $50,000 and 5 Master of Pwn points, for demonstrating a hard-coded cryptographic key bug in the Ubiquiti charger.
The PHP Hooligans also earned $50,000 and 5 Master of Pwn points for demonstrating a heap-based buffer overflow to exploit the Autel charger.
The Synacktiv team chained a stack-based buffer overflow and a known bug in OCPP to exploit the ChargePoint with signal manipulation through the connector. The team earned $47,500 and 4.75 Master of Pwn points.
Rob Blakely and Andres Campuzano of the Technical Debt Collectors exploited Automotive Grade Linux using multiple bugs, earning $33,500 and 3.5 Master of Pwn points despite one known bug.
The complete list of exploits demonstrated on Day 1 of Pwn2Own Automotive 2025 is available here.
Curiously, no attempts were made to demonstrate vulnerabilities in a Tesla vehicle, despite organizers offered a $500,000 reward for an autopilot exploit.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Pwn2Own Automotive 2025)
