Full Report
The Pwn2Own Automotive 2025 hacking contest has ended with security researchers collecting $886,250 after exploiting 49 zero-days. [...]
Analysis Summary
This article describes the results and payouts from the Pwn2Own Automotive 2025 hacking competition, focusing on the discovery and reward of 49 zero-day vulnerabilities across various automotive and related technologies. It does **not** provide specific, standalone CVE identifiers, detailed technical exploits for a single product, or vendor patches, as it summarizes the collective outcome of a hacking contest.
# Vulnerability: Zero-Day Discoveries at Pwn2Own Automotive 2025
## CVE Details
- CVE ID: Not specified (The article summarizes multiple undisclosed zero-days)
- CVSS Score: Not specified
- CWE: Not specified
## Affected Systems
- Products: Various automotive systems, in-vehicle infotainment (IVI) systems, telematics control units (TCUs), and potentially underlying operating systems/firmware targeted in the competition.
- Versions: Specific vulnerable versions are not disclosed in this summary article.
- Configurations: Vulnerabilities were targeted across different categories of vehicle technology.
## Vulnerability Description
The article reports that security researchers successfully demonstrated 49 zero-day vulnerabilities during the Pwn2Own Automotive 2025 contest, resulting in total prize money of $886,250 being awarded. These vulnerabilities were successfully exploited against vendor targets in the automotive sector, indicating flaws in the design or implementation of vehicle software and communication systems. Specific technical details for individual flaws are confidential until vendors can issue fixes.
## Exploitation
- Status: **Exploited in the wild** (Demonstrated successfully in a controlled, high-stakes contest environment; potential for real-world exploitation now exists)
- Complexity: Implied to be **Medium/High**, given the context of a major security contest requiring complex chains to achieve system compromise.
- Attack Vector: Likely varied, including network (e.g., wireless connectivity, telematics), potentially local physical access (e.g., OBD-II ports), or application-level attacks targeting infotainment systems.
## Impact
Impact varies based on the specific zero-day vulnerability discovered, but in the automotive context, potential impacts include:
- Confidentiality: High (e.g., leakage of vehicle data, location)
- Integrity: High (e.g., modification of vehicle controls or system settings)
- Availability: Medium to High (e.g., Denial of Service or bricking of vehicle components)
## Remediation
### Patches
- **Specific patches are not listed**, as the details of the 49 bugs are typically withheld for a grace period to allow vendors to develop and release security updates corresponding to the exploited flaws.
### Workarounds
- No specific workarounds are provided in this summary report. Mitigation generally follows vendor guidance once products are identified as affected.
## Detection
- Detection methods rely on vendor-specific alerts once patches are released and details become public.
- General detection might involve monitoring for unusual network beaconing from internal vehicle ECUs or unauthorized access attempts on diagnostic/networking interfaces.
## References
- Vendor advisories: Vendors targeted in the competition (not listed in detail here) are expected to release advisories coinciding with public disclosure dates.
- Relevant links: `https://www.bleepingcomputer.com/news/security/hackers-get-886-250-for-49-zero-days-at-pwn2own-automotive-2025/`