The annual event, now in its third year, is designed to expose critical weaknesses in connected vehicle systems before they can be exploited by malicious actors. This year drew a record number of entries, reflecting growing interest among researchers and industry observers in automotive cybersecurity.
At the end of the competition, Fuzzware.io was crowned Master of Pwn — the contest’s top honor — after earning $215,500 across multiple successful exploits, the highest individual payout of the event.
Chargers Under Fire
Electric vehicle charging infrastructure emerged as one of the most revealing areas of vulnerability, with researchers demonstrating multiple ways to compromise real-world systems long before attackers could. On the second day of the competition, the team Synacktiv gained access to an Autel MaxiCharger AC Elite Home 40A simply by tapping an NFC card, underscoring how physical interfaces once thought secure can be manipulated to bypass protections.
On the final day, a team from Finland — Juurin Oy — executed a Time-of-Check-to-Time-of-Use (TOCTOU) bug on an Alpitronic HYC50 DC fast charger. To illustrate the depth of their access, they installed and ran a playable version of Doom on the charger’s display — a tongue-in-cheek yet technically significant demonstration that drove home the potential for unauthorized code execution on charging hardware.
Those exploits weren’t isolated. Across all three days, chargers from multiple manufacturers — including Phoenix Contact’s CHARX SEC-3150 controller, ChargePoint Home Flex units, and Grizzl-E Smart stations — were compromised using varied techniques such as buffer overflows, command injections, and logic flaws.
Beyond Chargers: Infotainment and OS Vulnerabilities
Charging systems weren’t the only targets. Infotainment units and in-vehicle platforms also fell victim to creative exploit chains. Researchers demonstrated hacks against Tesla’s infotainment system as well as Alpine and Kenwood systems, proving that even well-patched consumer hardware can be coaxed into revealing serious flaws.
A standout demonstration involved chaining three vulnerabilities to compromise Automotive Grade Linux, a widely used open-source automotive OS, underlining how integration between software components can create unexpected attack paths.
Implications for the Industry
The prominence of EV charger exploits at this year’s event marks a noteworthy evolution in automotive cybersecurity. While early Pwn2Own Automotive competitions focused primarily on vehicles and infotainment systems, this year’s expanded set of targets — including high-power chargers and communication protocols — reflected a broader threat landscape that now encompasses the critical infrastructure that supports electric mobility.
Trend Micro and ZDI have a well-established approach to responsible vulnerability disclosure: vendors are given a 90-day window to develop and deploy security patches before technical details are made public. This coordination aims to ensure that vulnerabilities found in competitions such as this one can be fixed before they are weaponized by malicious actors.
Organizers said the event not only reveals risks, but also drives improvements. “As vehicle systems continue to become more connected — and as charging networks form an increasingly essential part of the EV ecosystem — competitions like Pwn2Own Automotive give manufacturers and suppliers early warning of where to strengthen defenses,” said Dustin Childs, Head of Threat Awareness at Trend Micro, one of the contest’s organizers.
Looking Ahead
With EV adoption accelerating worldwide and charging infrastructure rapidly proliferating, the stakes for securing every part of the electric mobility ecosystem have never been higher. The success of Pwn2Own Automotive 2026 underscores not just how much technology has advanced, but how rapidly security researchers must adapt to protect it.
Prize Winners and Bounties
| Team or Researcher | Target | Bounty (USD) | Master of Pwn Points (if known) |
|---|---|---|---|
| Fuzzware.io | Alpitronic HYC50 (Field Mode) | $60,000 | 6 |
| Synacktiv | Tesla Infotainment System | $35,000 | 3.5 |
| Synacktiv | Sony XAV‑9500ES | $20,000 | |
| PetoWorks | Phoenix Contact CHARX SEC‑3150 | $50,000 | |
| Team DDOS | ChargePoint Home Flex | $40,000 | |
| Fuzzware.io | Autel Charger (Day 1) | Included above | |
| Fuzzware.io | Kenwood DNR1007XR | Included above | |
| Fuzzware.io | Phoenix Contact CHARX SEC‑3150 | $50,000 | 7 |
| Fuzzware.io | ChargePoint Home Flex | $30,000 | |
| Fuzzware.io | Grizzl‑E Smart 40A | $15,000 | |
| Rob Blakely (Technical Debt Collectors) | Automotive Grade Linux | $40,000 | 4 |
| InnoEdge Labs (Hank Chen) | Alpitronic HYC50 (Lab Mode) | $40,000 | |
| Sina Kheirkhah (Summoning Team) | Kenwood & Alpine Targets | $40,000 | |
| Fuzzware.io | Alpine iLX‑F511 | $2,500 | 1 |
| Juurin Oy | Alpitronic HYC50 (TOCTOU & Doom) | $20,000 | 4 |
| Ryo Kato | Autel MaxiCharger AC Elite Home 40A | $16,750 | 3.5 |
| Viettel Cyber Security | Sony XAV‑9500ES | $10,000 | 2 |
| Nguyen Thanh Dat | Kenwood DNR1007XR | $5,000 | 2 |
| PetoWorks | Grizzl‑E Smart 40A | $10,000 | 4 |
| Team DDOS | Alpine iLX‑F511 | $5,000 | |
| Juurin Oy | Kenwood DNR1007XR (Link Follow) | $5,000 | 2 |
| Autocrypt Team | Alpine iLX‑F511 | $3,000 | 1.25 |
| Qrious Secure | Grizzl‑E Smart 40A / Kenwood | $9,000 | 3.75 |
| FPT NightWolf Team | Alpine iLX‑F511 | $5,000 | 2 |