Security researchers successfully breached the Tesla Infotainment System and secured $516,500 in prizes after exploiting 37 zero-day vulnerabilities during the opening of the Pwn2Own Automotive 2026 competition. Various hacking teams demonstrated multiple exploits against vehicle charging stations and navigation systems, leading to significant cash awards and a 90-day window for vendors to patch the discovered flaws.
The Pwn2Own Automotive 2026 competition began with a massive display of cybersecurity expertise as researchers targeted high-profile automotive technology. On the first day alone, participants identified 37 previously unknown vulnerabilities, known as zero-days, within the Tesla Infotainment System and other peripheral devices. This initial wave of successful exploits resulted in a collective payout of over half a million dollars, highlighting the critical importance of testing connected vehicle security in a controlled environment.
A standout performance came from the Synacktiv Team, which secured root permissions on the Tesla Infotainment System through a USB-based attack. By chaining an information leak with an out-of-bounds write flaw, they earned $35,000 for the Tesla breach. The team continued their momentum by gaining root-level code execution on a Sony digital media receiver, which added another $20,000 to their total winnings for the day.
Other participants focused their efforts on the infrastructure supporting electric vehicles, specifically charging stations and navigation hardware. Team Fuzzware.io amassed $118,000 by successfully compromising several devices, including two different brands of chargers and a Kenwood navigation receiver. Similarly, PetoWorks received $50,000 for gaining root privileges on a Phoenix Contact charging controller, while Team DDOS earned $72,500 for exploiting vulnerabilities in ChargePoint, Autel, and Grizzl-E home charging units.
The momentum is expected to continue into the second day of the competition, with multiple teams lining up to target popular charging hardware. The Grizzl-E Smart 40A and Autel MaxiCharger remain primary targets, with several groups attempting to replicate or find new ways to root these systems. Each successful demonstration offers a potential $50,000 reward, while a specific attempt to breach a Phoenix Contact vehicle charger could net Fuzzware.io an additional $70,000.
Following the successful exploitation and reporting of these flaws during the contest, a structured disclosure process begins to protect the public. The Zero Day Initiative provides the affected vendors with all relevant technical details so they can develop security updates. Manufacturers are given a 90-day period to create and distribute fixes for their customers before the vulnerabilities are publicly disclosed, ensuring that the automotive ecosystem becomes more resilient against future attacks.
Source: Tesla Hacked As 37 Zero Days Were Demonstrated At Pwn2Own Automotive 2026
37 zero-days in one event is remarkable for Tesla's infotainment system. The $516K payout underscores how seriously the industry is taking automotive cybersecurity now. What's interesting is the 90-day disclosure window - it creates real pressure on Tesla's security team to patch quickly while giving researchers proper recognition. The irony of course is that Tesla is generally considered one of the more security-conscious automakers. Imagine what Pwn2Own would find in legacy automotive systems without OTA update capabilities.