Pwn2Own Automotive 2025 - Day Two Results
January 22, 2025 | Dustin ChildsWelcome to the second day of Pwn2Own Automotive 2025. Yesterday, we awarded more than $380,000 for 16 unique 0-days - and we had several bug collisions as well. Today looks to be even better, with the WOLFBOX and Tesla EV chargers making their Pwn2Own debut. Here’s how the Master of Pwn standings look at the beginning of Day Two:
We’ll see how they look at the end of the day. Here are the Day Two results, which we will be updating throughout the competition.
SUCCESS - Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) combined a couple of bugs to exploit the WOLFBOX charger and introduce it to the world of Pwn2Own. His efforts earn him $50,000 and 5 Master of Pwn points.
SUCCESS - The Tesla Wall Connector has been christened by the PHP Hooligans. They used a Numeric Range Comparison Without Minimum Check bug (CWE-839) to take over the machine and crash it. They earn $50,000 and 5 Master of Pwn points.
SUCCESS/COLLISION - The team of @vudq16, @tacbliw, and @_q5ca from Viettel Cyber Security (@vcslab) used a command injection combined with a known bug to exploit the ChargePoint HomeFlex. They earn $18,750 and 3.75 Master of Pwn points.
SUCCESS - We were definitely thrilled to see Cong Thanh (@ExLuck99) and Nam Dung (@greengrass19000) of ANHTUD use a command injection bug to exploit the Alpine iLX-507 and leave us a special message. Their round 2 win earns them $10,000 and 2 Master of Pwn points.
COLLISION - The ZIEN, Inc. (@zien_security) of HANRYEOL PARK (@hanR0724), HYOJIN LEE (@meixploit), HYEOKJONG YUN (@dig06161), HYEONJUN LEE (@gul9ul), DOWON KWAK (@D0uneo), YOUNGMIN CHO (@ZIEN0621) successfully exploited the Kenwood DMX958XR, but they used a known bug. They still win $5,000 and 5 Master of Pwn points.
SUCCESS - The folks from HT3 Labs (@ht3labs) used a missing authentication bug combined with an OS command injection to exploit the Phoenix Contact CHARX. Their 2nd round win nets them $25,000 and 5 Master of Pwn points.
COLLISION - Although the team of Radu Motspan (@moradek), Polina Smirnova (@moe_hw) and Mikhail Evdokimov (@konatabrk) from PCAutomotive successfully exploited the Tesla Wall Connector, the bug they used was previously known. The still earn $22,500 and 3.5 Master of Pwn points.
FAILURE - Unfortunately, the team o Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of fuzzware.io could not get their exploit of the ChargePoint HomeFlex working within the time allotted.
SUCCESS/COLLISION - Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) combined six different bugs, improper access control and stack-based buffer overflows, to exploit the Autel MaxiCharger. However, one of the bugs he used was previously known. He still earns $23,000 and 4.75 Master of Pwn points.
COLLISION - Although the Pony 74 team successfully exploited the Kenwood DMX958XR, the bug they used was previously known. They still earn $5,000 and 1 Master of Pwn point.
SUCCESS - The GMO Cybersecurity by Ierae, Inc. team combined an improper certificate validation bug to a path traversal to exploit the Alpine iLX-507. Their second round win earns them $10,000 and 2 Master of Pwn points.
SUCCESS/COLLISION - Rafal Goryl of PixiePoint Security used a 2 bug chain to exploit the WOLFBOX Level 2 EV Charger, but one of the bugs was previously known. He earns himself $18,750 and 3.75 Master of Pwn points.
SUCCESS - Radu Motspan (@moradek), Polina Smirnova (@moe_hw) and Mikhail Evdokimov (@konatabrk) of PCAutomotive chained three different bugs (a heap overflow, an authentication bypass, and an improper isolation bug) to exploit the Sony XAV-AX8500 with 0 clicks. Their third round win nets them $10,000 and 2 Master of Pwn points.
SUCCESS - Sina Kheirkhah (@SinSinology) of the Summoning Team (@SummoningTeam) continues his successful run at the contest continues as he uses a command injection bug to exploit the Kenwood DMX958XR. His second round win earns him another $10,000 and 2 Master of Pwn points.
SUCCESS - The team from Synacktiv used a logic bug as a part of their chain to exploit the Tesla Wall Connector via the Charging Connector. Their outstanding (and inventive) research earns them $45,000 and 7 Master of Pwn points.
COLLISION - The CIS Team exploited the Alpine IVI but used a known bug. The ghost of CVE-2024-23924 rears its head as the specter of "shared risk" lingers. The unfixed Alpine bug from last year strikes again. The CIS Team still earns $5,000 and 1 Master of Pwn points.
FAILURE - Unfortunately, the PHP Hooligans could not get their exploit of the WOLFBOX Level 2 EV Charger working within the time allotted.
COLLISION - The Viettel Cyber Security (@vcslab) successfully exploited the Sony XAV-AX8500, but the bug they used was previously know. They earn $5,000 and 1 Master of Pwn point.
FAILURE - Unfortunately, the fuzzware.io could not get their exploit of the EMPORIA EV Charger Level 2 EV Charger working within the time allotted.
COLLISION - In his final attempt of the day, Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) used a two bug chain to exploit the Tesla Wall Connector. However, both were already known by the vendor. This bug collision still earns him $12,500 and 2.5 Master of Pwn points.
FAILURE - Unfortunately, Compass Security (@compasssecurity) could not get their exploit of the Alpine iLX-507 working within the time allotted.
SUCCESS - Our final entry of Day Two saw Juurin Oy, Elias Ikkelä-Koski and Aapo Oksman export the Kenwood DMX958XR with a command injection bug. They earn $10,000 and 2 Master of Pwn points.
That brings our Day Two total to $335,500 and the total for the event to $718,250. The teams demonstrated 23 unique 0-days today, and Sina Kheirkhah has a commanding lead for Master of Pwn. We’ll see what the final day of the contest brings.