Hackers exploit 16 zero-days on first day of Pwn2Own Automotive 2025
On the first day of Pwn2Own Automotive 2025, security researchers exploited 16 unique zero-days and collected $382,750 in cash awards.
Fuzzware.io is leading the competition after hacking the Autel MaxiCharger and Phoenix Contact CHARX SEC-3150 electric vehicle chargers using a stack-based buffer overflow and an origin validation error bug. This earned them $50,000 and 10 Master of Pwn points.
Sina Kheirkhah of Summoning Team also earned $91,750 and 9.25 Master of Pwn points after hacking the Ubiquiti and Phoenix Contact CHARX SEC-3150 EV chargers using a hard-coded cryptographic key bug and a combo of three zero-days (one of them previously known).
Synacktiv Team is in third place on the leaderboard and took home $57,500 after successfully demoing a bug in the OCPP protocol to hack the ChargePoint Home Flex (Model CPH50) using signal manipulation through the connector,
Security researchers from PHP Hooligans also successfully hacked a fully patched Autel charger using a heap-based buffer overflow and earned $50,000, while the Viettel Cyber Security team collected $20,000 after obtaining code execution on the Kenwood In-Vehicle Infotainment (IVI) using an OS command injection zero-day.
