49 security vulnerabilities uncovered in automotive systems

Pwn2Own Automotive 2025 49 security vulnerabilities uncovered in automotive systems

2025-02-05 From Sebastian Gerstl| Translated by AI 2 min Reading Time

Related Vendors

FAULHABER Drive Systems

dataTec AG

Wuxi InfiMotion Technology Co., Ltd.

As part of the Pwn2Own Automotive 2025, a hackathon focused on cybersecurity in automotive systems in Tokyo, security researchers from 13 countries discovered and disclosed a total of 49 new, unique zero-day vulnerabilities in existing automotive systems between January 22 and 25 of this year.

At a security competition as part of the Automotive World trade fair in Tokyo, security researchers uncovered 49 new, previously unknown security vulnerabilities in automotive systems in just three days. The competition underscores the urgency and growing threat of cybersecurity vulnerabilities in increasingly software-defined vehicle systems.(Image: freely licensed / Pixabay) — At a security competition as part of the Automotive World trade fair in Tokyo, security researchers uncovered 49 new, previously unknown security vulnerabilities in automotive systems in just three days. The competition underscores the urgency and growing threat of cybersecurity vulnerabilities in increasingly software-defined vehicle systems.
(Image: freely licensed / Pixabay)

At the world's largest competition to discover zero-day vulnerabilities, 49 security flaws in automotive systems were found. For the Pwn2Own Automotive 2025 contest, held at the Automotive World in Tokyo from January 22-25, 2025, cybersecurity researchers from 13 countries gathered to jointly search for previously unknown zero-day vulnerabilities in systems such as in-vehicle infotainment (IVI) systems or chargers for electric vehicles.

The task for the cybersecurity researchers was to test state-of-the-art automotive technologies under real conditions. The competition was announced as part of the Zero Day Initiative (ZDI) by Trend Micro, the world's largest vendor-independent bug bounty program.

Especially in automotive systems, cybersecurity is a critical issue. While elements such as the software-defined vehicle (SDV) or advanced driver-assistance systems (ADAS) are increasingly coming to the forefront, security vulnerabilities in these systems are becoming more frequently apparent simultaneously. Generative AI or over-the-air updates promise, on the one hand, to provide remedies in these areas or to react faster to newly disclosed vulnerabilities, but on the other hand, they also open up additional potential attack surfaces. The increasingly complex software supply chains also offer a progressively more attractive target for attackers. According to the 2025 annual report of VicOne, a company specializing in automotive security, 530 new Common Vulnerability Exploits (CVEs) were detected in 2024 alone—almost twice as many as in 2019. The annual increase in newly discovered vulnerabilities highlights the rapid growth of both the attack surface and automotive systems.

According to the report, the automotive industry must pursue a security-focused approach that includes robust defense measures, regulatory compliance, and collaborative innovations to mitigate risk. Supply chain vulnerabilities are likely to dominate cybersecurity events in the future, with an increase in ransomware and OTA attacks. New threats such as AI manipulation, cloud-based attacks, and sensor data tampering in autonomous systems must also be closely examined in the future.

(sg)

Subscribe to the newsletter now

Don't Miss out on Our Best Content

Business E-mail

Please enter a valid mailadress.

By clicking on „Subscribe to Newsletter“ I agree to the processing and use of my data according to the consent form (please expand for details) and accept the Terms of Use. For more information, please see our Privacy Policy. The consent declaration relates, among other things, to the sending of editorial newsletters by email and to data matching for marketing purposes with selected advertising partners (e.g., LinkedIn, Google, Meta)

Date: 08.12.2025

Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.

Consent to the use of data for promotional purposes

I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here

Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.

Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.

In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.

Right of revocation

I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.