
Researchers find 49 automotive security holes
The world’s largest zero-day vulnerability discovery contest has found 49 security holes in automotive systems.
The Pwn2Own Automotive 2025 competition at Automotive World in Tokyo this week saw cybersecurity researchers from 13 countries came together to discover 49 unique zero-day vulnerabilities across systems such as in-vehicle infotainment (IVI) systems and electric vehicle (EV) chargers.
The researchers performed real-world testing on cutting-edge automotive technologies, all within Trend Micro’s Zero Day Initiative (ZDI) platform, the world’s largest vendor-agnostic bug bounty programme.
According to the forthcoming 2025 annual report from automotive security firm VicOne, the total count of automotive-related vulnerabilities (CVEs) published in 2024 reached 530 vulnerabilities, another annual gain and just two short of twice as many as in 2019. The sharp rise in vulnerabilities highlights the rapid growth in both the automotive attack surface and automotive systems.
The report says the automotive industry must adopt a security-first approach, integrating robust defences, regulatory compliance and collaborative innovations to mitigate risks. Supply-chain vulnerabilities will likely dominate cybersecurity events moving forward, with an increase in ransomware and OTA exploitations, while emerging threats include AI manipulation, cloud-based attacks and sensor data manipulation in autonomous systems.
“As software-defined vehicles (SDVs) reshape the automotive industry, cybersecurity becomes critical to ensuring their safety and reliability,” said Max Cheng, chief executive officer of VicOne. “Platforms like Pwn2Own Automotive are instrumental to uncovering zero-day vulnerabilities and mitigating risks before they can escalate. By supporting initiatives like this, the industry can proactively strengthen vehicle security, paving the way for safer and more resilient advancements in mobility.”
The automotive industry is evolving with innovations such as SDVs, advanced driver-assistance systems (ADAS) and integration of artificial intelligence (AI). These developments promise enhanced functionality and efficiency but also introduce cybersecurity challenges, including risks from generative AI, supply-chain vulnerabilities and over-the-air (OTA) updates.
