Security Affairs
Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|CISA Deploys Anthropic’s Mythos AI to Hunt Vulnerabilities in U.S. Government Code|Critical Gitea Docker Bug Under Active Exploitation Exposes Repositories and Secrets|Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)|Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available|AI-Generated Malware Powers New Armored Likho APT Campaign|Januscape: 16-Year-Old Linux KVM Bug Enables Cloud VM Escape Attacks|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Pwn2Own Automotive 2025 Day 1: organizers awarded $382,750 for 16 zero-days

Trend Micro’s Zero Day Initiative (ZDI) announced that $380K was awarded on Day 1 of Pwn2Own Automotive 2025. Trend Micro’s Zero Day Initiative (ZDI) announced that over $380,000 was awarded on Day 1 of Pwn2Own Automotive 2025, a hacking contest that was held in Tokyo. In total, the organizers awarded $382,750 for 16 unique working […]

Pwn2Own Automotive 2025

Trend Micro’s Zero Day Initiative (ZDI) announced that $380K was awarded on Day 1 of Pwn2Own Automotive 2025.

Trend Micro’s Zero Day Initiative (ZDI) announced that over $380,000 was awarded on Day 1 of Pwn2Own Automotive 2025, a hacking contest that was held in Tokyo.

In total, the organizers awarded $382,750 for 16 unique working zero-day exploits targeting infotainment systems, electric vehicle (EV) chargers, and automotive operating systems. The team fuzzware.io (composed of Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege)) earned $50000 and received 10 Master of Pwn points.

Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) received the biggest reward, $50,000 and 5 Master of Pwn points, for demonstrating a hard-coded cryptographic key bug in the Ubiquiti charger.

The PHP Hooligans also earned $50,000 and 5 Master of Pwn points for demonstrating a heap-based buffer overflow to exploit the Autel charger.

The Synacktiv team chained a stack-based buffer overflow and a known bug in OCPP to exploit the ChargePoint with signal manipulation through the connector. The team earned $47,500 and 4.75 Master of Pwn points.

Rob Blakely and Andres Campuzano of the Technical Debt Collectors exploited Automotive Grade Linux using multiple bugs, earning $33,500 and 3.5 Master of Pwn points despite one known bug.

The complete list of exploits demonstrated on Day 1 of Pwn2Own Automotive 2025 is available here.

Curiously, no attempts were made to demonstrate vulnerabilities in a Tesla vehicle, despite organizers offered a $500,000 reward for an autopilot exploit.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Pwn2Own Automotive 2025)