The much-anticipated Pwn2Own Automotive 2025 kicked off today at Tokyo Big Sight, showcasing the cutting edge of automotive cybersecurity research.
On its first day, white-hat hackers demonstrated their skills by exploiting 16 previously unknown vulnerabilities across in-vehicle infotainment (IVI) systems, electric vehicle (EV) chargers, and operating systems (OS). The event awarded a staggering $382,750 in prizes to participants.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Key Highlights from Day 1
The competition saw a mix of successes, collisions (where exploits overlapped with known vulnerabilities), and failures. Here are the notable achievements:
- PCAutomotive exploited a stack-based buffer overflow on the Alpine IVI system, earning $20,000 and two Master of Pwn points.
- Viettel Cyber Security successfully used an OS command injection bug to exploit the Kenwood IVI system for $20,000 and two points.
- Cong Thanh and Nam Dung of ANHTUD leveraged an integer overflow to gain code execution on the Sony XAV-AX8500 IVI system, securing $20,000 and two points.
- Sina Kheirkhah of Summoning Team executed a three-bug combo to exploit the Phoenix Contact CHARX SEC-3150 EV charger. Despite one bug being previously disclosed, he earned $41,750 and 4.25 points.
- Synacktiv utilized a stack-based buffer overflow combined with a known OCPP bug to manipulate signals on the ChargePoint charger. This earned them $47,500 and 4.75 points.
The standout performance came from PHP Hooligans, who exploited a heap-based buffer overflow on the Autel charger to claim $50,000 and five Master of Pwn points.

Similarly impressive was Sina Kheirkhah, who later exploited a hard-coded cryptographic key vulnerability in a Ubiquiti charger for another $50,000 and five points.
Another notable success came from fuzzware[.]io, whose team accessed an Autel MaxiCharger via an open port and exploited it using a stack-based buffer overflow. Their efforts netted them $25,000 and five points.
Bug collisions—where multiple teams targeted the same vulnerabilities—were a recurring theme. For example:
- SK Shieldus encountered a collision while exploiting an unpatched OS command injection bug in Alpine IVI from last year’s contest. They received only $5,000 and one point.
- Similarly, Bongeun Koo of STEALIEN faced a collision on Alpine IVI but managed to earn $5,000.
Despite some failures, such as unsuccessful attempts by Riccardo Mori (Quarkslab) and Sina Kheirkhah on certain targets, the day ended with high spirits.
Leaderboard Update
- The team from fuzzware.io leads the Master of Pwn race with multiple successful exploits.
- Close behind is Sina Kheirkhah, who amassed $91,750 in winnings and 9.25 points.

Pwn2Own Automotive 2025 continues until January 24, with more exploits expected as researchers tackle additional targets. The event underscores the importance of addressing cybersecurity risks in software-defined vehicles as they become increasingly integral to modern transportation.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar