What happened
Researchers find new ways to hack vehicles after security teams demonstrated dozens of previously unknown vulnerabilities against automotive systems during Pwn2Own Automotive World 2026 in Tokyo. The report described exploitation of an Autel MaxiCharger AC Elite Home 40A EV charger via near-field communication (NFC), where a researcher used a buffer overflow triggered by a simple NFC interaction. Trend AI’s Zero Day Initiative (ZDI) was cited describing 66 unique zero-day vulnerabilities shown in the first two days, with most attempts succeeding, and attacks focusing on aftermarket in-vehicle infotainment (IVI) systems and EV chargers. Researchers also used Bluetooth and, for EV chargers, the charging gun as an attack path, including compromise of an Alpitronic HYC50 Level 3 fast charger. Commentary from Synacktiv-linked researchers and NCC Group emphasized persistent weaknesses in IVI security posture and architectural depth.
Who is affected
Automotive OEMs, suppliers, and operators using vulnerable IVI platforms or EV charging infrastructure are potentially affected, depending on product alignment with demonstrated targets. Organizations deploying EV chargers, fleet systems, or vehicle-connected services face indirect exposure through operational technology and connected maintenance pathways.
Why CISOs should care
Automotive and charging ecosystems blend IT and OT, and successful compromise can translate into safety, uptime, and liability risks. Zero-days in IVI or charger interfaces can become scalable attack primitives, especially where devices are internet-connected, remotely managed, or integrated into enterprise fleet operations.
3 practical actions
- Inventory and segment automotive/charger assets: Identify deployed IVI and EV charger models and isolate management interfaces from general networks.
- Strengthen patch and configuration governance: Require timely firmware updates and validate secure configuration baselines for chargers and infotainment components.
- Monitor for abnormal interface activity: Add detection for unusual NFC/Bluetooth interactions, remote management access anomalies, and unexpected device-to-device communications.