Hackers Break Tesla Infotainment on Day One, Walk Away with $516,500 in Zero-Day Wins

North Korean Hackers Weaponize Developer Tools to Turn Code Workflows Into Malware Delivery Channels

Hackers Break Tesla Infotainment on Day One, Walk Away with $516,500 in Zero-Day Wins

Pwn2Own Automotive 2026 opens with record-breaking exploits against EVs, chargers, and in-car systems

Security researchers stunned the automotive security world on the opening day of Pwn2Own Automotive 2026 after exploiting 37 zero-day vulnerabilities in a single day, earning a combined $516,500 in rewards.

One of the most notable targets was Tesla, whose infotainment system was successfully compromised despite running fully patched software.

Tesla Infotainment Rooted via USB Exploit Chain

The Synacktiv team demonstrated a USB-based attack that chained an information disclosure flaw with an out-of-bounds write vulnerability. This combination allowed the researchers to gain root-level access to the Tesla Infotainment System, earning $35,000.

The same team later exploited a Sony XAV-9500ES digital media receiver by chaining three additional vulnerabilities, securing another $20,000.

EV Chargers Become Prime Targets

Other teams focused heavily on electric vehicle charging infrastructure, highlighting growing concerns around EV ecosystem security.

Fuzzware.io earned $118,000 after successfully hacking an Alpitronic HYC50 charger, an Autel charger, and a Kenwood DNR1007XR navigation system
PetoWorks collected $50,000 by chaining three zero-days to gain root access on a Phoenix Contact CHARX SEC-3150 charging controller
Team DDOS secured $72,500 by compromising the ChargePoint Home Flex, Autel MaxiCharger, and the Grizzl-E Smart 40A charger

More High-Value Targets Lined Up

The competition is far from over. On the following day:

Multiple teams will attempt to re-exploit the Grizzl-E Smart 40A
The Autel MaxiCharger and ChargePoint Home Flex remain high-value targets
Fuzzware.io plans another attempt against the Phoenix Contact CHARX SEC-3150 for a $70,000 reward

Each successful exploit can bring researchers up to $50,000 per target.

What Happens Next

Under Pwn2Own rules, affected vendors receive 90 days to patch the reported vulnerabilities before public disclosure by Trend Micro Zero Day Initiative.

The event continues this week in Tokyo alongside the Automotive World conference, with researchers targeting in-vehicle infotainment systems, EV chargers, and automotive operating systems such as Automotive Grade Linux.

Why This Matters

The results once again show that modern vehicles and charging infrastructure are high-value cyber targets. Even fully patched systems can fall to creative exploit chains, reinforcing the need for continuous security testing and faster patch cycles across the automotive industry.

Over 20,000 Instagram Accounts Hijacked Through Meta AI Support Flaw

Nottingham University Data Breach Exposes Records of More Than 450,000 Students

DragonForce Ransomware Hides C2 Traffic Inside Microsoft Teams Infrastructure

North Korean Hackers Weaponize Developer Tools to Turn Code Workflows Into Malware Delivery Channels

Anthropic Unveils Claude Fable 5 with Built-In Cyber Safeguards as AI Security Enters a New Era

ATHR AI Vishing Platform Automates Voice Phishing at Scale

How Modern Businesses Can Measure Cyber Risk in Financial and Operational Terms Instead of Technical Guesswork

What Is Wiper Malware in Cybersecurity? Understanding One of the Most Destructive Types of Cyber Attacks

Why Delaying Software Updates Can Put Your Entire Digital Security at Risk

How Attackers Abuse Legitimate Windows Tools: Understanding LOLBins and Living-Off-the-Land Attacks

Brave Launches Paid ‘Origin’ Browser for Users Seeking a Cleaner, Privacy-First Experience

Apple Blocks $11 Billion in App Store Fraud as Mobile Threats Continue to Rise

Hackers Break Tesla Infotainment on Day One, Walk Away with $516,500 in Zero-Day Wins