The Pwn2Own Automotive 2025 hacking contest ended with security researchers earning $886,250 for successfully exploiting 49 zero-days. The event saw participants target various automotive systems, including electric vehicle chargers, car operating systems like Android Automotive OS, Automotive Grade Linux, and BlackBerry QNX, as well as in-vehicle infotainment systems. Tesla provided a Model 3/Y benchtop unit for the competition, and their Wall Connector charger was specifically targeted.
Competitors earned $382,750 by demonstrating 16 unique zero-days on the first day, and an additional $335,500 was awarded for the exploitation of 23 more zero-day vulnerabilities, including two successful hacks of Tesla’s EV charger. On the final day, participants earned another $168,000 for ten more zero-days.
Hacking highlights at Pwn2Own 2025
Sina Kheirkhah from Summoning Team topped the leaderboard with 30.5 Master of Pwn points and $222,250 in cash awards, achieved by hacking multiple EV chargers and IVI systems. Synacktiv secured second place with $147,500, followed by PHP Hooligans with $110,000, fuzzware.io with $68,750, and Viettel Cyber Security with $53,750. After the zero-days are demonstrated and reported at Pwn2Own events, vendors have 90 days to release security patches before Trend Micro’s Zero Day Initiative publicly discloses the vulnerabilities.
In January 2024, security researchers earned $1,323,750 for demonstrating 49 zero-day bugs in various electric car systems, including hacking a Tesla car twice. Two months later, ZDI awarded another $1,132,500 for 29 zero-day bugs, with Synacktiv earning $200,000 and a Tesla Model 3 after hacking the car’s Electronic Control Unit with Vehicle CAN BUS control in under 30 seconds. The results and highlights from Pwn2Own Automotive 2025 emphasize the critical need for ongoing vigilance and advancements in automotive cybersecurity.
