Security researchers hacked the Tesla Infotainment System at the Pwn2Own Automotive 2026 contest in Tokyo on January 21 and earned $516,500 after exploiting 37 zero-day vulnerabilities, a blog post by the Zero Day Initiative reported.
KEY FACTS
- Incident Tesla Infotainment System rooted via chained bugs
- Event Pwn2Own Automotive 2026 in Tokyo, January 21 to 23
- Day one impact 37 zero-days exploited and $516,500 awarded
- Vendor action 90 days to release fixes before public disclosure
Synacktiv Team chained an information leak and an out-of-bounds write to gain root permissions on the Tesla Infotainment System in a USB-based attack, earning $35,000. The same team also chained three vulnerabilities to gain root-level code execution on a Sony XAV-9500ES for $20,000.
Team Fuzzware.io collected $118,000 after demonstrating issues in an Alpitronic HYC50 Charging Station, an Autel charger, and a Kenwood DNR1007XR navigation receiver. PetoWorks earned $50,000 for chaining three zero-day bugs to root a Phoenix Contact CHARX SEC-3150 charging controller.
Team DDOS earned $72,500 for compromises against the ChargePoint Home Flex, the Autel MaxiCharger, and the Grizzl-E Smart 40A vehicle charging station. The contest schedule lists multiple follow-up attempts on day two for several chargers and receivers.
Vendors have a 90-day window to develop and release security fixes before public disclosure by the Zero Day Initiative. The contest runs during the Automotive World conference and follows previous Pwn2Own Automotive events that also yielded large payouts for zero-day discoveries.
WHY IT MATTERS
The demonstrations show that in-vehicle infotainment systems and EV charging equipment can be exploited through chained software flaws. The 90-day disclosure timeline gives vendors a limited window to issue patches and mitigate risk to vehicles and charging infrastructure.