Tesla hacked, 37 zero-days demoed at Pwn2Own Automotive 2026

Security researchers have hacked the Tesla Infotainment System and earned $516,500 after exploiting 37 zero-days on the first day of the Pwn2Own Automotive 2026 competition.

Synacktiv Team took home $35,000 after successfully chaining an information leak and an out‑of‑bounds write flaw to get root permissions on the Tesla Infotainment System in the USB-based attack category. They also chained three vulnerabilities to gain root-level code execution on the Sony XAV-9500ES digital media receiver, earning an additional $20,000 cash award.

Teams Fuzzware.io collected another $118,000 after hacking an Alpitronic HYC50 Charging Station, an Autel charger, and a Kenwood DNR1007XR navigation receiver, while PetoWorks was awarded $50,000 for chaining three zero-day bugs to gain root privileges on a Phoenix Contact CHARX SEC-3150 charging controller.

Team DDOS also earned $72,500 for hacking the ChargePoint Home Flex, the Autel MaxiCharger, and the Grizzl-E Smart 40A vehicle charging station.

On the second day of Pwn2Own, the Grizzl-E Smart 40A will be targeted by four teams, the Autel MaxiCharger will be targeted three times, while two teams will attempt to root the ChargePoint Home Flex, each successful attempt bringing the hackers $50,000.

Team Fuzzware.io will also attempt to hack the Phoenix Contact CHARX SEC-3150 vehicle charger for a $70,000 cash reward.

Vendors have 90 days to develop and release security fixes before TrendMicro's Zero Day Initiative publicly discloses them after the zero-day flaws are exploited and reported during the Pwn2Own contest.

The Pwn2Own Automotive 2026 hacking contest focuses on automotive technologies and takes place this week in Tokyo, Japan, during the Automotive World auto conference, from January 21 to January 23.

Throughout this hacking competition, security researchers will target fully patched in-vehicle infotainment (IVI) systems, electric vehicle (EV) chargers, and car operating systems (e.g., Automotive Grade Linux).

The complete schedule for this year's automotive competition is available here, while the full schedule for the first day and the results for each challenge are available here.

The Pwn2Own Automotive 2025 competition concluded with hackers collecting $886,250 after exploiting 49 zero-day vulnerabilities.

During the first Pwn2Own Automotive contest in 2024, they collected another $1,323,750 in cash awards after demoing 49 zero-day bugs in multiple electric car systems and hacking Tesla twice.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 22 January 2026 at 4:43 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix