The ‘Pwn2Own Automotive 2025’ cybersecurity competition took place from January 22 to 24, 2025. Now in its second year, the event brings together security researchers to uncover vulnerabilities in connected cars and report them to developers and manufacturers, advancing the industry.
Left: Brian Gorenc, Vice President of Threat Research at Trend Micro
Right: Max Cheng, CEO of VicOne
Preventing Zero-Day Attacks at the Source
This year’s competition saw participation from 21 teams (including individual participants) from 13 countries worldwide, including the United States, Japan, South Korea, Australia, the United Kingdom, Canada, France, Germany, Vietnam, Switzerland, the Netherlands, Hungary, and Finland. Over the three-day event, a total of 49 zero-day vulnerabilities were discovered.
*Read about the first competition here
A ‘zero-day vulnerability’ is a previously unknown flaw in a system or one that has been discovered but not yet patched. If a malicious attacker finds it first, it becomes a target for cyberattacks. A ‘zero-day attack’ occurs before a fix is released, and once a patch is available, any subsequent attack is known as a ‘one-day attack.’
To stay ahead of cyber threats and prevent zero-day attacks, top-tier security researchers from around the world come together to test their skills at Pwn2Own Automotive. The vulnerabilities discovered during this event are reported to vendors, strengthening automotive cybersecurity and helping prevent future attacks.
A Tense Battle of Skills
The competition consists of three target categories: In-Vehicle Infotainment (IVI) systems, Electric Vehicle (EV) chargers, and Operating Systems (OS). Researchers work within a set time limit to uncover unknown, unpublished, and previously unreported vulnerabilities. Successfully exploiting a vulnerability earns them points, while failure results in a penalty.
The first competitor to step up was France’s Synacktiv, who claimed the inaugural ‘Master of Pwn’ title last year. Targeting an EV charger, they successfully completed their attempt, setting an exciting tone for the event.
Synacktiv’s first challenge
[Read more: Pwn2Own Automotive Day 1 – 16 New Vulnerabilities Discovered – VicOne]
As the countdown ticked away, teams hovered over their devices with intense focus. The atmosphere felt like something straight out of a spy thriller. Witnessing their technical expertise firsthand was impressive, yet unsettling as it was hard to fathom these systems could be breached so quickly.
Fortunately, these vulnerabilities were discovered by the right people first.
The ultimate champion of Pwn2Own Automotive 2025 was Sina Kheirkhah of the UK (Summoning Team), who claimed the title of the second-ever Master of Pwn by earning a total of 30.5 points.
Across three days, a total of 49 zero-day vulnerabilities were discovered, with a combined prize pool of approximately $1 million awarded to participants. The details of the vulnerabilities will be disclosed 90 days after the event for security considerations. For a full breakdown, check out the official VicOne blog.
Pwn2Own Automotive 2025’s Top 5
One final point to note: uncovering vulnerabilities at this event does not imply that the affected products are inherently flawed. In the ever-evolving landscape of digital technology, no matter how meticulously a product is developed, perfection is an impossible feat. Failing to acknowledge vulnerabilities poses huge risks, so proactively addressing them and strengthening security is the best course of action.
In this regard, Pwn2Own Automotive plays a crucial role as a platform where automakers and top-tier security researchers exchange valuable insights. This event isn’t just significant for the automotive industry—it’s a key moment for the entire IT sector. One to watch for years to come.
Pwn2Own Automotive 2025
https://vicone.com/pwn2own-automotive
Trend Micro
https://www.trendmicro.com/en_us/business.html
VicOne
https://vicone.com/
