Ready to Simplify Trust Management? Join Free Webinar to See DigiCert ONE in Action

Pwn2Own Automotive 2025: Zero-Day Vulnerabilities and Automotive Cybersecurity Threats
Pwn2Own Automotive 2025 Highlights
On January 22, 2025, the first day of the Pwn2Own Automotive 2025 competition, which is part of the Automotive World auto conference in Tokyo, saw significant exploits of zero-day vulnerabilities in various automotive technologies.
- Number of Exploits: Security researchers successfully exploited 16 unique zero-day vulnerabilities, earning a total of $382,750 in cash awards1.
- Targets: The targets included electric vehicle (EV) chargers, in-vehicle infotainment (IVI) systems, and car operating systems such as Automotive Grade Linux, Android Automotive OS, and BlackBerry QNX.
- Notable Exploits:
- Fuzzware.io led the competition by hacking the Autel MaxiCharger and Phoenix Contact CHARX SEC-3150 EV chargers using a stack-based buffer overflow and an origin validation error bug, earning $50,000 and 10 Master of Pwn points1.
- Sina Kheirkhah of Summoning Team exploited the Ubiquiti and Phoenix Contact CHARX SEC-3150 EV chargers using a hard-coded cryptographic key bug and a combination of three zero-days, earning $91,750 and 9.25 Master of Pwn points1.
- Synacktiv Team hacked the ChargePoint Home Flex (Model CPH50) using signal manipulation through the connector, earning $57,5001.
- PHP Hooligans successfully hacked a fully patched Autel charger using a heap-based buffer overflow, earning $50,0001.
- Viettel Cyber Security team obtained code execution on the Kenwood In-Vehicle Infotainment (IVI) using an OS command injection zero-day, earning $20,0001.
Automotive Cybersecurity Threats in 2025
Industrial Control Systems and Automotive Technologies
- CISA Advisories: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued advisories highlighting vulnerabilities in critical systems. For instance, vulnerabilities in the Traffic Alert and Collision Avoidance System (TCAS) II could allow attackers to manipulate safety systems and cause denial-of-service conditions. This vulnerability, designated as CVE-2024-9310, affects versions 7.1 and prior of TCAS II3.
- ZF’s RSSPlus Equipment: CISA also disclosed an authentication bypass vulnerability in ZF’s RSSPlus equipment, which could allow unauthenticated attackers to remotely call diagnostic functions, impacting system availability and integrity. This vulnerability is designated as CVE-2024-120543.
General Cybersecurity Threats Relevant to Automotive
- Microsoft Patch Tuesday: Microsoft released its January 2025 Patch Tuesday updates, addressing 159 vulnerabilities, including eight zero-days, three of which are under active exploitation. This highlights the ongoing need for prompt patching in all sectors, including automotive4.
- SAP and Other High-Profile Vulnerabilities: Significant vulnerabilities have been identified in SAP NetWeaver Application Server, including improper authentication, weak access controls, SQL injection, and session hijacking. These vulnerabilities are particularly concerning due to SAP's widespread use in critical industries4.
Exploitation and Mitigation
- Exploitation Timeline: After the zero-day vulnerabilities are exploited and reported during Pwn2Own, vendors have 90 days to develop and release security patches before TrendMicro's Zero Day Initiative publicly discloses them1.
- Mitigation Strategies: Immediate patching and updating of affected systems are recommended. For example, Siemens recommends updating SIMATIC S7-1200 CPU to V4.7 or later, and avoiding links from untrusted sources as a workaround3.
- Active Exploitation: Threat actors are actively exploiting various vulnerabilities, such as the critical authorization bypass vulnerability in FortiOS, which has been observed in attempts to gain super-admin privileges on affected systems. Upgrading FortiOS to the latest patched versions is advised4.
Conclusion
The Pwn2Own Automotive 2025 competition has once again highlighted the critical need for robust cybersecurity measures in the automotive sector. The exploitation of 16 zero-day vulnerabilities on the first day of the competition underscores the vulnerabilities present in EV chargers, IVI systems, and car operating systems. As the automotive industry continues to integrate more complex technologies, staying vigilant and proactive in addressing these vulnerabilities is crucial to ensuring the safety and security of vehicles and their users.