Pwn2Own: Researchers Earn $1 Million for 76 Zero-Days

AndyC 28 January 2026

Discovering critical vulnerabilities across connected vehicles, EV chargers, and automotive systems
As connected cars proliferate worldwide, data security for vehicles has become more critical than ever.

Pwn2Own: Researchers Earn Million for 76 Zero-Days

Pwn2Own: Researchers Earn $1 Million for 76 Zero-Days

Discovering critical vulnerabilities across connected vehicles, EV chargers, and automotive systems

As connected cars proliferate worldwide, data security for vehicles has become more critical than ever. Whether gas-powered or electric, new vehicles send and receive huge quantities of data, raising data privacy and safety concerns for manufacturers and customers.

The TrendAI Zero Day Initiative™ (ZDI) sits at the forefront of threat research, and connected vehicles are no exception. Last week, TrendAI ZDI hosted Pwn2Own Automotive in Tokyo, inviting security researchers from around the world to responsibly demonstrate and disclose exploits and zero-day vulnerabilities at the world’s most prestigious hacking competition. Participants targeted connected vehicle devices including electric vehicle chargers, in-vehicle infotainment systems, automotive operating systems, and more.

A total of 76 vulnerabilities were disclosed at the event, with contestants earning $1,047,000 in prizes. The team from Fuzzware.io was crowned the Master of Pwn with $215,000 earned for their efforts.

VicOne co-hosted the event with TrendAI ZDI, which was sponsored by Tesla and supported by partners Alpitronic and the Open Charge Alliance.

Other highlights of the event included:

  • Synacktiv (@synacktiv) chained an information leak and an out‑of‑bounds write to exploit the Tesla Infotainment system in the USB‑based Attack category
  • The Synacktiv team also achieved a Pwn2Own first by using NFC to target the Autel MaxiCharger AC Elite Home 40A with the Charging Connector Protocol/Signal Manipulation add‑on.
  • Fuzzware.io (@ScepticCtf, @diff_fusion, @SeTcbPrivilege) chained two vulnerabilities to achieve code execution on the Autel MaxiCharger AC Elite Home 40A EV Charger and manipulate the ChargePoint signal.

TrendAI uses disclosures from Pwn2Own to protect customers from zero-day exploits an average of 71 days ahead of the rest of the cybersecurity industry.

“Proactive security is at the center of our mission to protect customers and the world from cyber threats faster than any other security provider. TrendAI ZDI is a key contributor to our unmatched threat intelligence. Connected assets are rapidly becoming an integral part of the digital world, and we’re proud to bring together security experts at Pwn2Own to push threat research forward.” —Rachel Jin, Chief Platform and Business Officer at TrendAI

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , ,

More Stories

Embracing Choice in Cybersecurity: TrendAI Vision One™ and SentinelOne Integration

Embracing Choice in Cybersecurity: TrendAI Vision One™ and SentinelOne Integration

AndyC 28 January 2026
Android Adds ‘Accountability Layer’ to Third-Party Apps

Android Adds ‘Accountability Layer’ to Third-Party Apps

AndyC 28 January 2026
Microsoft’s Patch Fixes Are Breaking Windows, Forcing a Second Emergency Update

Microsoft’s Patch Fixes Are Breaking Windows, Forcing a Second Emergency Update

AndyC 28 January 2026
Upgrade to Microsoft Windows 11 Home for Just

Upgrade to Microsoft Windows 11 Home for Just $10

AndyC 28 January 2026
New Android Theft Protection Feature Updates: Smarter, Stronger

New Android Theft Protection Feature Updates: Smarter, Stronger

AndyC 28 January 2026

Microsoft Office vulnerability (CVE-2026-21509) in active exploitation

AndyC 28 January 2026

You may have missed

When Hospitals Go Dark and Browsers Turn Rogue

When Hospitals Go Dark and Browsers Turn Rogue

AndyC 28 January 2026
Fixes released for a serious Microsoft Office zero-day flaw

NDSS 2025 – On the Robustness Of LDP Protocols For Numerical Attributes Under Data Poisoning Attacks

AndyC 28 January 2026
French authorities to ban Teams, Zoom, other video apps for gov’t use

Power shortages, carbon capture, and AI automation: What’s ahead for data centers in 2026

AndyC 28 January 2026
Celebrating Data Privacy Week with NIST’s Privacy Engineering Program

Celebrating Data Privacy Week with NIST’s Privacy Engineering Program

AndyC 28 January 2026
Shadowserver finds 6,000+ likely vulnerable SmarterMail servers exposed online

Shadowserver finds 6,000+ likely vulnerable SmarterMail servers exposed online

AndyC 28 January 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.