Pwn2Own Automotive 2026 - Day One Results
Pwn2Own Automotive 2026第一天有30支队伍参与比赛,展示了针对最新汽车系统的漏洞利用。部分团队成功通过堆栈溢出、链式漏洞等技术获得控制权并赢得奖金和积分,而部分团队未能完成任务。 2026-1-21 04:3:33 Author: www.thezdi.com(查看原文) 阅读量:0 收藏

Welcome to Day One of Pwn2Own Automotive 2026! Today, 30 entries are taking the Pwn2Own stage to target the latest automotive systems, as the world’s top security researchers push technology to its limits. Exploits, surprises, and breakthrough discoveries are already unfolding - follow along here for updates throughout the day as the competition continues.

Stay up to date by following us on Twitter, Mastodon, LinkedIn, and Bluesky, and join the conversation using #Pwn2Own Automotive and #P2OAuto for continuous coverage. 

FAILURE - Unfortunately, Team Hacking Group targeting Kenwood DNR1007XR in the In-Vehicle Infotainment (IVI) category could not get their exploit working within the time allotted.

SUCCESS - Neodyme AG (@Neodyme) used a stack based buffer overflow to get a root shell on the Alpine iLX-F511, earning $20,000 USD and 2 Master of Pwn points.

SUCCESS - Fuzzware.io ( @ScepticCtf, @diff_fusion, @SeTcbPrivilege) chained two vulnerabilities (CWE-306, CWE-347) to achieve code execution on the Autel charger and manipulate the charging signal, earning $50,000 USD and 5 Master of Pwn points. Full win with the add-on.

SUCCESS - Taejin Kim (@tae3), Junsu Yeo (@junactually), Sunmin Park (@sunminpark4503), Sungmin Son (@_ssm98), and Hoseok Lee of SKShieldus (@EQSTLab) of 299 exploited a hardcoded credential (CWE-798) to achieve code execution via CWE-494 on the Grizzl-E Smart 40A, earning $40,000 USD and 4 Master of Pwn points.

SUCCESS - Bongeun Koo (@kiddo_pwn) and Evangelos Daravigkas (@freddo_1337) of Team DDOS exploited two bugs, including a command injection, against the ChargePoint Home Flex. Add-on failed, but still earned $40,000 USD and 4 Master of Pwn points.

SUCCESS - Cyrill Bannwart, Emanuele Barbeno, Yves Bieri, Lukasz D., and Urs Mueller of Compass Security (@compasssecurity) exploited one exposed dangerous method/function bug on the Alpine iLX-F511, winning Round 2 for $10,000 USD and 2 Master of Pwn points.

SUCCESS - PetoWorks (@petoworks) chained three bugs - including Denial of Service (DoS), a race condition, and command injection - against the Phoenix Contact CHARX SEC-3150, winning Round 1 for $50,000 USD and 5 Master of Pwn points with the signal manipulation add-on.

SUCCESS - Synacktiv (@synacktiv) chained three vulnerabilities to gain root-level code execution on the Sony XAV-9500ES, earning a full win of $20,000 USD and 2 Master of Pwn points.

SUCCESS - Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io exploited an n-day command injection against Kenwood, earning $8,000 USD and 1 Master of Pwn point.

SUCCESS - Yannik Marchand (@kinnay) exploited a single out-of-bounds write to achieve a full win against the Kenwood DNR1007XR, earning $20,000 USD and 2 Master of Pwn points.

FAILURE - Hyunseok Yun, Heaeun Moon, and Eungyo Seo of CIS targeted the Alpine iLX-F511 but were unable to complete their exploit within the allotted time.


文章来源: https://www.thezdi.com/blog/2026/1/21/pwn2own-automotive-2026-day-one-results
如有侵权请联系:admin#unsafe.sh