The Pwn2Own Automotive 2025 hacking contest has ended with security researchers collecting $886,250 after exploiting 49 zero-days.
Throughout the event, they targeted automotive software and products, including electric vehicle (EV) chargers, car operating systems (i.e., Android Automotive OS, Automotive Grade Linux, and BlackBerry QNX), and in-vehicle infotainment (IVI) systems.
According to the Pwn2Own Tokyo 2025 contest rules, all devices targeted ran the latest operating system versions and had all security updates installed.
While Tesla also provided a Model 3/Y (Ryzen-based) equivalent benchtop unit, security researchers who joined the competition have only registered attempts against the company’s Wall Connector charger.
The competitors collected $382,750 in cash awards after demoing 16 unique zero-days on the first day and another $335,500 on the second day after exploiting 23 more zero-day vulnerabilities and hacking Tesla’s EV charger twice. On the third day of Pwn2Own, they collected another $168,000 for 10 more zero-days.
After the zero days are demoed and reported during Pwn2Own events, vendors have 90 days to release security patches before TrendMicro’s Zero Day Initiative publicly discloses them.
Summoning Team’s Sina Kheirkhah won this year’s edition of Pwn2Own Automotive 2025 with 30.5 Master of Pwn points, and $222,250 in cash awards won after hacking the multiple EV chargers and In-Vehicle Infotainment (IVI) systems.
Synacktiv took second place with $147,500, PHP Hooligans earned $110,000, fuzzware.io will go home with $68,750, and Viettel Cyber Security collected $53,750 for the zero-day exploits demoed during the three days of the competition.
The results for each challenge on Pwn2Own Automotive 2025’s last day and the final results can be found here.
During the first edition of Pwn2Own Automotive in January 2024, security researchers earned $1,323,750 for demonstrating 49 zero-day bugs in multiple electric car systems and hacking a Tesla car twice.
Two months later, during the Pwn2Own Vancouver 2024 competition, ZDI awarded another $1,132,500 for 29 zero-day bugs. Synacktiv went home with $200,000 and a Tesla Model 3 after hacking its ECU with Vehicle (VEH) CAN BUS Control in under 30 seconds.
