Hackers get $886,250 for 49 zero-days at Pwn2Own Automotive 2025
The Pwn2Own Automotive 2025 hacking contest has ended with security researchers collecting $886,250 after exploiting 49 zero-days.
Throughout the event, they targeted automotive software and products, including electric vehicle (EV) chargers, car operating systems (i.e., Android Automotive OS, Automotive Grade Linux, and BlackBerry QNX), and in-vehicle infotainment (IVI) systems.
According to the Pwn2Own Tokyo 2025 contest rules, all devices targeted ran the latest operating system versions and had all security updates installed.
While Tesla also provided a Model 3/Y (Ryzen-based) equivalent benchtop unit, security researchers who joined the competition have only registered attempts against the company's Wall Connector charger.
The competitors collected $382,750 in cash awards after demoing 16 unique zero-days on the first day and another $335,500 on the second day after exploiting 23 more zero-day vulnerabilities and hacking Tesla's EV charger twice. On the third day of Pwn2Own, they collected another $168,000 for 10 more zero-days.
After the zero days are demoed and reported during Pwn2Own events, vendors have 90 days to release security patches before TrendMicro's Zero Day Initiative publicly discloses them.
Summoning Team's Sina Kheirkhah won this year's edition of Pwn2Own Automotive 2025 with 30.5 Master of Pwn points, and $222,250 in cash awards won after hacking the multiple EV chargers and In-Vehicle Infotainment (IVI) systems.
Synacktiv took second place with $147,500, PHP Hooligans earned $110,000, fuzzware.io will go home with $68,750, and Viettel Cyber Security collected $53,750 for the zero-day exploits demoed during the three days of the competition.
The results for each challenge on Pwn2Own Automotive 2025's last day and the final results can be found here.
During the first edition of Pwn2Own Automotive in January 2024, security researchers earned $1,323,750 for demonstrating 49 zero-day bugs in multiple electric car systems and hacking a Tesla car twice.
Two months later, during the Pwn2Own Vancouver 2024 competition, ZDI awarded another $1,132,500 for 29 zero-day bugs. Synacktiv went home with $200,000 and a Tesla Model 3 after hacking its ECU with Vehicle (VEH) CAN BUS Control in under 30 seconds.
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner
