In this excerpt of a TrendAI Research Services vulnerability report, Richard Chen and Lucas Miller of the TrendAI Research team detail a recently patched double free vulnerability in the Windows Internet Key Exchange (IKE) service. This bug was originally discovered by WARP & MORSE team at Microsoft. Successful exploitation could result in a crash of the IKEEXT service, or potentially arbitrary code execution. The following is a portion of their write-up covering CVE-2026-33824, with a few m
In this excerpt of a TrendAI Research Services vulnerability report, Richard Chen and Lucas Miller of the TrendAI Research team detail a recently patched double free vulnerability in the Windows Internet Key Exchange (IKE) service. This bug was originally discovered byWARP & MORSE team at Microsoft. Successful exploitation could result in a crash of the IKEEXT service, or potentially arbitrary code execution. The following is a portion of their write-up covering CVE-2026-33824, with a few minimal modifications.
A double free vulnerability has been reported in the Windows Internet Key Exchange (IKEv2) service. The vulnerability is due to an error when processing fragments.
An unauthenticated, remote attacker could exploit this vulnerability by sending crafted packets to the target server. Successful exploitation could result in a crash of the IKEEXT service, or potentially arbitrary code execution.
The Vulnerability
Microsoft Windows is an operating system which includes both server and desktop components along with an easy-to-use GUI. All currently supported versions of Windows include Internet Key Exchange Protocol Extensions to support the Virtual Private Network (VPN) feature.
The VPN feature of Windows encrypts communication between hosts. ISAKMP is a negotiation protocol used by IPsec-enabled hosts to build a security association. It uses the Internet Key Exchange (IKE) Protocol in order to negotiate keys for encrypted communication. IKE has two versions: IKEv1 and IKEv2. IKE version 1 (IKEv1) and version 2 (IKEv2) messages have the following general format:
The type of payload is determined by the Next Payload header of the previous payload, or the Next Payload field in the header (in the case of the first payload).
IKEv2 supports message fragmentation as defined in RFC 7383. When IKEv2 messages exceed the path MTU, they may be split into multiple Encrypted Fragment payloads. Of interest to this report is the Encrypted Fragment (SKF) payload (type 0x35). The SKF payload format is defined as:
When an IKEv2 implementation receives fragments, it inserts each fragment into an ordered list and reassembles them once all fragments have been received. In the Windows implementation, the function IkeReinjectReassembledPacket() performs this reassembly.
A double-free vulnerability has been reported in the Windows IKE Extension library (ikeext.dll). The vulnerability is due to improper ownership handling of a heap-allocated blob pointer during IKEv2 fragment reassembly. During the IKE_SA_INIT exchange, a Security Realm Vendor ID payload causes IkeHandleSecurityRealmVendorId() to allocate a blob and store it in the MMSA (Main Mode Security Association) structure at offset 0x208. When a fragmented IKE_AUTH message is fully reassembled, IkeReinjectReassembledPacket copies MMSA fields at offsets 0x178 through 0x21F - including the blob pointer at 0x208 - into a local stack struct. This struct is then passed to IkeQueueRecvRequest, which shallow-copies it into a heap-allocated work item. While IkeQueueRecvRequest deep-copies the reassembly buffer at offset 0x10 in the struct, the Security Realm blob pointer at offset 0xC8 remains a shallow copy, aliasing the original at MMSA+0x208.
When the thread pool processes the queued work item, IkeDestroyPacketContext checks the blob pointer at offset 0xC8 and calls WfpMemFree to release it (first free). The MMSA structure still holds the original pointer to the same allocation at offset 0x208. When the MMSA is subsequently cleaned up through IkeCleanupMMNegotiation, the SA reference count is decremented via IkeDerefMMSA, eventually triggering IkeFreeMMSA, which frees the blob pointer at MMSA offset 0x208 - the same allocation already freed by IkeDestroyPacketContext (second free).
A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted IKE_SA_INIT message followed by two or more Encrypted Fragment (SKF) payloads containing an invalid IKE_AUTH message to the target server. The fragment reassembly path will shallow-copy the blob pointers, and the subsequent MMSA cleanup will trigger the double free. Successful exploitation could result in arbitrary code execution under the security context of the IKEEXT service (SYSTEM).
Source Code Walkthrough
The following code snippets were taken from IKEEXT.DLL file version 10.0.20348.2849 and decompiled with IDA Pro version 8.3. Comments added by TrendAI have been highlighted.
Detection Guidance
To detect an attack exploiting this vulnerability, the detection device must monitor and parse traffic on UDP ports 500 and 4500. The IKE general format, Payloads field, and the Encrypted Fragment (SKF) payload format can be seen above.
The detection device should monitor all incoming IKE traffic. Detection requires correlating two packets within the same IKE session: an IKE_SA_INIT request carrying the Microsoft Security Realm Vendor ID, followed by a fragmented IKE_AUTH request. Neither packet alone is malicious; both must be observed in sequence from the same source.
IKE_SA_INIT
At byte offset 17 of the UDP payload, the device should check for the three-byte sequence 20 22 08, which corresponds to the IKEv2 version identifier (0x20), the IKE_SA_INIT exchange type (0x22), and the Initiator flag (0x08). The device should then scan the remainder of the packet for the 16-byte sequence 68 6a 8c bd fe 63 4b 40 51 46 fb 2b af 33 e9 e8, which is the Microsoft Security Realm Vendor ID. If both conditions are met, the device should follow the guidance below.
IKE_AUTH
For subsequent packets from the same source, the device should check bytes at offset 16 through 23 of the UDP payload. At offset 16, the four-byte sequence 35 20 23 08 identifies an Encrypted Fragment payload (SKF, type 0x35), IKEv2 version (0x20), IKE_AUTH exchange type (0x23), and Initiator flag (0x08). If found, the detection device should inspect offset 20 and search for the four-byte sequence00 00 00 01. If found the traffic should be considered malicious; an attack exploiting this vulnerability is likely underway.
Notes • All multi-byte values should be treated as big endian. • When detecting traffic on port 4500, IKE packets are prepended by a 4-byte non-ESP marker (\x00\x00\x00\x00), shifting all IKE header content offsets by 4.
Conclusion
This vulnerability was patched by Microsoft in the April 2026 release cycle. They do note two mitigations that could prevent exploitation while the patch is being tested and deployed.
· Block inbound traffic on UDP ports 500 and 4500 for systems that do not use IKE.
· For systems that require IKE, configure firewall rules to allow inbound traffic on UDP ports 500 and 4500 only from known peer addresses.
These mitigations may be removed once the security patch is applied. The only way to fully remediate the vulnerability is to apply the update from the vendor.
Special thanks to Richard Chen and Lucas Miller of the TrendAI Research team for providing such a thorough analysis of this vulnerability. For an overview of TrendAI Research services please visit https://go.trendmicro.com/tis/vulnerabilities.html.
The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.
In September of 2024, ZDI received a vulnerability submission from an anonymous researcher affecting npm CLI that revealed a fundamental design issue in Node.js. This blog details how it continues to expose applications to local privilege escalation (LPE) attacks on Windows systems, including the Discord desktop app (CVE-2026-0776 0-Day), which remains unpatched and vulnerable.
The issue is straightforward: when Node.js resolves modules, the runtime searches for pac
In September of 2024, ZDI received a vulnerability submission from an anonymous researcher affecting npm CLI that revealed a fundamental design issue in Node.js. This blog details how it continues to expose applications to local privilege escalation (LPE) attacks on Windows systems, including the Discord desktop app (CVE-2026-0776 0-Day), which remains unpatched and vulnerable.
The issue is straightforward: when Node.js resolves modules, the runtime searches for packages in C:\node_modules as part of its default behavior. Since low-privileged Windows users can create this directory and plant malicious modules there, any Node.js application with missing or optional dependencies becomes vulnerable to privilege escalation.
This issue is not new. Concerned discussions about Node.js's module search path behavior date back to 2013 and 2014.
Node.js has explicitly stated that they consider this behavior intentional:
"Node.js trusts the file system."
They do not treat CWE-427 (Uncontrolled Search Path Element) as a vulnerability, pushing responsibility onto application developers.
Figure 1: The vendor’s security policy stance on CWE-427 as a non-issue
As the case studies below demonstrate, this stance has dangerous consequences. Developers are largely unaware of this attack surface, and the result is a proliferation of exploitable applications. We will show examples in npm CLI and Discord, but there are likely many more applications that are impacted by this.
Root Cause
The root cause lies in the way Node.js performs module resolution. This is documented here. Although UNIX paths are used in the documentation provided by Node.js, the same logic is applied on Windows.
When a Node.js application calls require(‘bar’), the runtime searches for the module in the following order:
If the legitimate package is missing, whether due to optional dependencies, development packages removed in production, or installation failures, the resolution search will eventually reach the root of the drive. Any user can create C:\node_modules and place a malicious package there. Once the low-privileged user has populated C:\node_modules\bar.js, Node.js will load and execute it in the context of the current user. In the following case studies, we will provide evidence of how, despite properly following NPM’s guidelines, third-party dependencies end up triggering this vulnerability anytime you launch the application.
Case Studies: Real-World Manifestations
The Optional Dependency Pattern:
npm supports optional dependencies to be specified in the project’s package.json file. The recommended pattern for checking for these dependencies is as follows:
Figure 2: npm Docs showing optionalDependencies example code
This pattern silently catches errors when optional packages are missing, allowing execution to continue. So what’s the problem? On Windows, Node.js will search all the way up to C:\node_modules where an attacker may have planted a malicious replacement. This search behavior mirrors UNIX conventions where /node_modules at the filesystem root is typically only writable by root. Windows systems by default allow any user to create C:\node_modules. Once require is called, Node.js will traverse the search path and execute any matching module it finds.
Important things to note:
This pattern can be found in third party libraries deep in a dependency tree, as we will see in the following examples.
There is no runtime indication to either the developers or the end users that such a vulnerability exists without looking at the filesystem logs with Procmon.
The optional dependency pattern itself would not be dangerous if Node.js did not search for packages in C:\node_modules.
Let’s take a deeper look at both cases and see why this is so dangerous.
Case 1: npm CLI (ZDI-26-043 / ZDI-CAN-25430 / CVE-2026-0775).
Prior to version 11.2.0, npm CLI used a library called “promise-inflight”, which contained an optional dependency on a package called “bluebird”.
When Node.js is installed on the system, npm is included by default without the bluebird package. This vulnerability was introduced when bluebird was removed through a well-intentioned pull request (https://github.com/npm/cli/pull/1438/changes), demonstrating how easy it is for developers to unknowingly create this attack surface.
We can see Node’s package resolution logic at work in the screenshot below:
Figure 4: Procmon log showing the package resolution behavior of Node.js via CVE-2026-0775
First, the application looks for the bluebird.js package in the Node.js installation directory. Node.js sequentially searches back to the system root until it finds the package. If an attacker has placed C:\node_modules\bluebird.js, the require call will find, read, and execute the malicious payload in the context of any user running npm on the system.
This vulnerability is especially dangerous because it is triggered when many npm * cli commands are used. Common development commands such as npm install, npm –l, and npm prune will all execute the malicious bluebird.jspackage.
Case 2: Discord (ZDI-26-040/ ZDI-CAN-27057 / CVE-2026-0776/ UNPATCHED)
On April 22, 2025, ZDI received a report for a similar vulnerability in Discord reported by T. Doğa Gelişli. Discord uses the ws WebSocket library, which contains an optional dependency on utf-8-validate for compatibility with older Node.js versions:
Discord does not ship with the utf-8-validate package. As a result, the following Procmon logs show the same behavior as Case 1. Anytime Discord is launched, the attacker controlled C:\node_modules\utf-8-validate.js is executed.
Figure 6: Procmon log showing the package resolution behavior of Node.js via CVE-2026-0776
The ws library does support disabling this check via the WS_NO_UTF_8_VALIDATE environment variable, but this requires the consuming application (Discord) to set it explicitly. Here’s a quick video demonstrating the bug by popping the calc app when opening Discord:
Discord automatically opens on login by default, so in practice code execution happens immediately without any user interaction. Strangely, the Discord Security team made it clear to us in their responses that they do not consider local attack vectors as valid security issues.
The Bigger Picture
The cases above represent only a few of the applications affected by this pattern. During our investigation we found many other independent reports. These issues in Mongo DB Compass and Mongo DB Shell are just two other examples.
Every Windows application built on Node.js with missing or optional dependencies is potentially vulnerable. This includes desktop applications that utilize Electron as well as popular web frameworks such as Next.js and React.
Each vendor has clearly stated that they will not treat these issues as vulnerabilities:
NPM’s response to our report:
“exploits that require local access to a machine are considered ineligible for npm CLI
Discord’s response to our report:
“We do not consider physical/local attacks as valid security issues”
Node.js, in the “Examples of non-vulnerabilities” section of their Security Policy:
“Node.js trusts the file system in the environment accessible to it. Therefore, it is not a vulnerability if it accesses/loads files from any path that is accessible to it.”
Conclusion
The vulnerability pattern described in this blog stems from a deliberate design decision by Node.js maintainers. While Node.js's position that “applications should trust their filesystem” may hold true on properly administered UNIX systems, it creates a systemic vulnerability on Windows where low-privileged users can write to C:\node_modules. Without a fix from Node.js, the burden silently falls on application developers.
Making matters worse, the vulnerable code may not live in the application code itself. The optional dependencies that trigger this behavior could come from third-party libraries buried in the dependency tree as we saw with both Discord and npm CLI.
We encourage security researchers to further review this issue and investigate other applications for this dangerous behavior. You can find us online at @bobbygould5 and @izobashi, and follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.
DISCLOSURE TIMELINES
NPM CLI:
2024-11-13 – ZDI submitted the report to the vendor
2024-11-13 – The vendor acknowledged the receipt of the report
2024-11-13 – The vendor communicated that the reported behavior was by design and they do not consider local attacks as valid security issues
2025-08-05 – ZDI encouraged the vendor to re-assess the issue
2025-12-18 – ZDI notified the vendor of the intention to publish the case as a 0-day advisory
DISCORD:
2025-07-08 – ZDI notified vendor
2025-09-11 – ZDI followed up with vendor
2025-09-15 – Vendor stated they do not consider local attacks as valid security issues
2025-12-01 – ZDI explained why we believe the issue is still valid
2025-12-10 – Vendor replied that the vulnerability is still out of scope
2025-12-11 – ZDI informed vendor of intent to publish 0-day
In our recent report, Beyond the Black Box, we found a striking gap: 80% of executives believe their organizations have strong security coverage for AI systems. Only about 40% of AppSec practitioners agree.
Related: AI moves mainstream
That’s not … (more…)
The post GUEST ESSAY: Executives trust AI security even as security teams confront blind spots, new risks first appeared on The Last Watchdog.
The post GUEST ESSAY: Executives trust AI security even as security teams confront blind spots, new
In our recent report, Beyond the Black Box, we found a striking gap: 80% of executives believe their organizations have strong security coverage for AI systems. Only about 40% of AppSec practitioners agree.
If you just want to read the contest rules, click here. Willkommen zurück, meine Damen und Herren, zu unserem zweiten Wettbewerb in Berlin! That’s correct (if Google translate didn’t steer me wrong). After our inaugural competition last year, Pwn2Own returns to Berlin and OffensiveCon. Outside of our shipping troubles, we had an amazing time and can’t wait to get back.Last year, we added Artificial Intelligence as a category with great results. This year, we’re expanding this and splitting it in
If you just want to read the contest rules, click here.
Willkommen zurück, meine Damen und Herren, zu unserem zweiten Wettbewerb in Berlin! That’s correct (if Google translate didn’t steer me wrong). After our inaugural competition last year, Pwn2Own returns to Berlin and OffensiveCon. Outside of our shipping troubles, we had an amazing time and can’t wait to get back.
Last year, we added Artificial Intelligence as a category with great results. This year, we’re expanding this and splitting it into multiple different categories: AI Databases, Coding Agents, Local Inferences, and a separate category for NVIDIA products. In last year’s contest, NVIDIA targets had wins, losses, and collisions, so it will be interesting to see how they fare this year. The folks from AWS wanted to get into the fray as well, so they stepped up to co-sponsor this year’s event, which allows us to increase the reward for bugs in Firecracker. Of course, we have all of the returning categories as well, including web browsers, containers, servers, virtualization, and operating systems. There’s more than $1,000,000 in cash and prizes available for contestants. Last year, we awarded $1,078,750 for 28 unique 0-days over the three-day event. We’ll see if we can eclipse those numbers in 2026.
The contest begins on May 14, but registration closes on May 7, so don’t delay in getting those submissions in. We’re hoping for maximum participation, so set aside your vibe coding and show us what you can really do. We’re looking forward to some cutting-edge exploitation on display. For 2026, we have a total of 31 targets across 10 categories. Here is a full list of the categories for this year’s event:
Of course, no Pwn2Own competition would be complete without us crowning a Master of Pwn (Meister von Pwn?). Since the order of the contest is decided by a random draw, contestants with an unlucky draw could still demonstrate fantastic research but receive less money since subsequent rounds go down in value. However, the points awarded for each unique, successful entry do not go down. Someone could have a bad draw and still accumulate the most points. The person or team with the most points at the end of the contest will be crowned Master of Pwn, receive 65,000 ZDI reward points (enough for Platinum status), a killer trophy, and a prettysnazzyjacket to boot.
Let's look at the details of the rules for this year's event.
Virtualization Category
Some of the highlights for each contest can be found in the Virtualization Category, and we’re thrilled to see what this year’s event could bring with it. As usual, VMware is the main highlight of this category as we’ll have VMware ESXi return with an award of $150,000. Last year produced the first ESXi exploits in Pwn2Own history, so it will be interesting to see if we get more. Microsoft also returns as a target and leads the virtualization category with a $250,000 award for a successful Hyper-V Client guest-to-host escalation. Kernel-based Virtual Machine (KVM) is our final target in this category with a prize of $50,000.
There’s an add-on bonus in this category as well. If a contestant can escape the guest OS, then gain arbitrary code execution on the virtualization target and obtain arbitrary code execution in the guest operating system on a separate virtual machine managed by the same targeted virtualization target, they’ll earn another $50,000. That could push the payout on a ESXi bug to $200,000. This bonus is for KVM and ESXi only. Here’s a detailed look at the targets and available payouts in the Virtualization category:
While browsers are the “traditional” Pwn2Own target, we’re continuously tweaking the targets in this category to ensure they remain relevant. We re-introduced renderer-only exploits a couple of years ago, and this year, we’ve increased the award to $75,000. In fact, we’ve increased the awards across the board for this category. Here’s a detailed look at the targets and available payouts:
Enterprise applications return as targets with Adobe Reader and various Office components on the target list once again. Attempts in this category must be launched from the target under test. For example, launching the target under test from the command line is not allowed. Prizes in this category run from $50,000 for a Reader exploit with a sandbox escape or a Reader exploit with a kernel privilege escalation, and $150,000 for an Office 365 application. Word, Excel, and PowerPoint are all valid targets. Microsoft Office-based targets will have Protected View enabled where applicable. Adobe Reader will have Protected Mode enabled where applicable.
This year, we’re adding a bonus for Copilot data exfiltration and Copilot action execution. Microsoft just patched a bug like this in Excel, so we know they are out there. If you’re able to exploit Copilot in addition to a Microsoft application, you’ll earn an additional $50,000. There are quite a few rules and scenarios around this add-on, so be sure to read the rules carefully and contact us with questions. Here’s a detailed view of the targets and payouts in the Enterprise Application category:
The Server Category for 2026 focuses solely on the server components we’re most interested in. These servers are often targeted by everyone from ransomware crews to nation/state actors, so we know there are exploits out there for them. The only question is whether we’ll see any of the competitors bring one of those exploits to Pwn2Own. Last year, the bugs demonstrated in SharePoint ended up being exploited in the wild, so we know people are looking for these with great interest. Microsoft Exchange has been a popular target for some time, and it returns as a target this year as well, with a payout of $200,000. This category is rounded out by Microsoft Windows RDP/RDS, which also has a payout of $200,000. Here’s a detailed look at the targets and payouts in the Server category:
This category is a classic for Pwn2Own and focuses on attacks that originate from a standard user and result in executing code as a high-privileged user. A successful entry in this category must leverage a kernel vulnerability to escalate privileges. Red Hat Enterprise Linux for Workstations returns as our Linux-based target, while Apple macOS, and Microsoft Windows 11 return as targets in this category. Prior exploits in this category have won Pwnie awards, so they’re always interesting to see. Here’s a detailed look at the targets and payouts in this category:
We’re excited to have this category return for its third season, and we’re hopeful that even more contestants will target one of these container targets. For an attempt to be ruled a success against these three, the exploit must be launched from within the guest container/microVM and execute arbitrary code on the host operating system. Again, with help from AWS, Firecracker returns as a target with a prize of $100,000. Here are the targets and payouts for this category:
In the past, AI Hackathons have focused on using AI to develop vulnerabilities or other offensive frameworks. We’re opening up the models and various components themselves for exploitation. The first AI sub-category focuses on databases. An attempt in this category must be launched from the contestant’s laptop. Here’s a look at the targets and awards in the AI Database category:
Let’s face it. At some point or another, we’ve probably all vibe coded something. There’s no shame in that, but how secure are the tools we use for vibe coding? Well, let’s take the most popular choices and find out. A successful entry must interact with a contestant-controlled resource (e.g. web page, repository, media file) to exploit a vulnerability within the coding agent. The attack vector of the entry must be a common coding agent use case. There are few things out of scope here as well. UI spoofing or misrepresentation unrelated to permission prompts, model jailbreaks or prompt outputs that do not cross security boundaries, and vulnerabilities that require unsafe or permission-less modes are just a few of the things not allowed. As this is a new category, please read the rules carefully to ensure your entry qualifies. Here’s a look at the targets and awards in the AI Coding Agent category:
We couldn’t leave local inference and LLMs out of Pwn2Own. These products claim to provide enhanced data privacy, zero-cost inference, lower latency, and fully offline functionality. We’ll see how the security stacks up. An attempt in this category must be launched from the contestant’s laptop within the contest network. Here are the targets and payouts for the Local Inference category:
Our last AI sub-category focuses solely on NVIDIA products. For network accessible targets, an attempt must be launched from the contestant's laptop within the contest network. For NV Container Toolkit, the attempt must be launched from within a crafted container image and execute arbitrary code on the host operating system. For Megatron Bridge, entries that leverage vulnerabilities pertaining to pickle deserialization or that leverage a vulnerability when “trust_remote_code=true” are out of scope. Here are the targets and payouts for the NVIDIA category:
The complete rules for Pwn2Own Berlin 2026 are found here. As always, we highly encourage entrants to read the rules thoroughly if they choose to participate. If you are thinking about participating but have specific configuration or rule-related questions, email us. Questions asked over X (nee Twitter), BlueSky, or other means will not be answered. Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at pwn2own@trendmicro.com to begin the registration process. Registration for onsite participation closes at 5 p.m. Central European Time on May 7, 2026.
Be sure to stay tuned to this blog and follow us on Twitter, Mastodon, LinkedIn, or Bluesky for the latest information and updates about the contest. We look forward to seeing everyone in Germany, and we hope to see some of the best in the world show what they can do – vibe coded or not.
With special thanks to our Pwn2Own Berlin 2026 partners AWS, for providing their expertise and technology.
I am back in the friendly confines of the Mid-South headquarters of TrendAI ZDI (a.k.a. my home office), and am all set for the third patch Tuesday of 2026. Take a break from your regularly scheduled activities and let’s take a look at the latest security patches from Adobe and Microsoft.If you’d rather watch the full video recap covering the entire release, you can check it out here:
Ad
I am back in the friendly confines of the Mid-South headquarters of TrendAI ZDI (a.k.a. my home office), and am all set for the third patch Tuesday of 2026. Take a break from your regularly scheduled activities and let’s take a look at the latest security patches from Adobe and Microsoft.If you’d rather watch the full video recap covering the entire release, you can check it out here:
Adobe Patches for March 2026
For March, Adobe released eight bulletins addressing 80 unique CVEs in Adobe Acrobat Reader, Commerce, Illustrator, Substance 3D Painter, Premier Pro, Experience Manager, Substance 3D Stager, and the Adobe DNG Software Development Kit (SDK). Two of these bugs were submitted through the TrendAI ZDI program. If you need to prioritize, the update for Acrobat likely has the most impact, with the patch fixing two Critical-rated and one Important bugs. The fix for Experience Manager is the largest this month with 33 CVEs addressed. However, these are simple cross-site scripting (XSS) bugs, so it’s not too exciting. The fix for Commerce is also quite large with 19 CVEs. Most of these are also XSS bugs, but there’s a few security feature bypass bugs in there, too. Adobe actually gives this patch a deployment priority of 2, but it’s not under active attack at the time of release.
The fix for Illustrator corrects seven bugs, including a few Critical-rated ones. The patch for Substance 3D Painter fixes nine different CVEs, all rated Important. That’s not the case for Substance 3D Stager, which fixes six different Critical bugs that could lead to arbitrary code execution. The patch for the Adobe DNG Software Development Kit (SDK) addresses one Critical and one Important bug. Finally, the update for Premiere Pro correct a single, Critical-rated bug that could lead to arbitrary code execution.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release, and beyond the update for Commerce, all of the other updates released by Adobe this month are listed as deployment priority 3.
Microsoft Patches for March 2026
This month, Microsoft released 84 new CVEs in Windows and Windows components, Office and Office Components, Microsoft Edge (Chromium-based), Azure, SQL Server, Hyper-V Server, and the Windows Resilient File System (ReFS). Counting the third-party and Chromium updates listed in the release, it brings to total number of CVEs to 94. Five of these bugs were reported through the TrendAI ZDI program. Eight of these bugs are rated Critical, and the rest are rated Important in severity.
This volume is relatively typical for a March release, and the lack of bugs under active attack is a nice change from last month. There are two vulnerabilities listed as publicly known at the time of release, but none listed as actively exploited.
Let’s take a closer look at some of the more interesting updates for this month, starting with a bug with an AI slant:
- CVE-2026-26144 - Microsoft Excel Information Disclosure Vulnerability This is a fascinating bug and an attack scenario we’re likely to see more often. The vulnerability is a simple cross-site scripting (XSS) bug in Excel, but an attacker could use it to cause the Copilot Agent to exfiltrate data off the target. This essentially makes it a zero-click information disclosure. Although not stated, the disclosure is likely at the level of the logged-on user, so there isn’t a privilege escalation component. Info disclosures rarely get rated Critical, but it makes sense here.
- CVE-2026-26110/CVE-2026-26113 - Microsoft Office Remote Code Execution Vulnerability Another month and another pair of Office bugs where the Preview Pane is an exploit vector. I’ve lost count of how many of these bugs have been patched over the last year, but it’s just a matter of time until they start appearing in active exploits. The latest versions of Outlook allow you to hide the Preview Pane, but it isn’t clear if this would mitigate these attacks. The best option is still to test and deploy the update, but considering how many of these patches exist, it’s likely further updates will be needed to fully address these issues.
- CVE-2026-23669 - Windows Print Spooler Remote Code Execution Vulnerability Just reading the title makes me twitch with remembrances of Print Nightmare from a few years ago. This bug works in the same manner as those exploits. An authenticated attacker sends specially crafted messages to an affected system to gain arbitrary code execution. No user interaction is required. Let’s hope we don’t end up in a new nightmare of spooler exploits. Test and deploy this one quickly.
- CVE-2026-23668 - Windows Graphics Component Elevation of Privilege Vulnerability This vulnerability was submitted to the ZDI program by Marcin Wiązowski as two separate bugs, and it demonstrates the need for variant investigations when creating security patches. Both cases are caused by the lack of proper locking when performing operations on an object. However, in one case, it’s in the cdd.dll driver while the other is in the win32kfull driver. Either way, an attacker could use these to elevate privileges to SYSTEM and execute arbitrary code. Since the fix for both is to add object locking to the GDI object, the cases are combined into a single CVE. That’s not a problem, but it does show how variants can occur, and fixes should be as broad as possible.
Here’s the full list of CVEs released by Microsoft for March 2026:
Chromium: CVE-2026-3545 Insufficient data
validation in Navigation
High
N/A
No
No
RCE
* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.
† Indicates further administrative actions are required to fully address the vulnerability.
Looking at the other Critical-rated bugs in this month’s release, they are all cloud-native and require no user action. Microsoft has already remediated the vulnerabilities.
Moving on to the other code execution bugs, the vulnerabilities in SharePoint Server pop out first. Both require authentication, but it’s essentially the lowest level of authentication, so these would be ideal cases for lateral movement within an enterprise. There are the standard open-and-own cases within Office components. There an interesting sounding bug in the Windows Mobile Broadband Driver that requires physical access, but Microsoft doesn’t elaborate on the attack scenario beyond that fact. The bug in the System Image Manager Assessment and Deployment Kit (ADK) requires authentication. The bug in GDI requires user interaction. The remaining code execution bugs are in the RRAS protocol. We’ve seen bugs in this component in the past, but never in the wild. I wouldn’t ignore these, but I wouldn’t rush them out either.
Similar to last month, updates for Elevation of Privilege (EoP) bugs make up nearly half of this month’s release. And as we saw last month, but most simply lead to local attackers executing their code at SYSTEM-level privileges or administrative privileges. The bugs in SQL Server allow attackers to elevate to SQL sysadmin privileges. The bug in the Azure MCP Server is more complex. It allows attackers to obtain the permissions associated with the MCP Server’s managed identity, which lets them perform actions that the managed identity is able to reach. The bug in the Azure AD SSH Login extension for Linux leads to root access, and it won’t be easy to patch. You’ll need to run the update instructions from the command line on each affected system. That’s the same case for the bug in the Linux Azure Diagnostic extension (LAD). There’s an odd bug in the Hybrid Worker Extension (Arc‑enabled Windows VMs) that leads to “ELEVATED” privileges, which is something I’ve never seen before. The bug in the Broadcast DVR component allows an attacker to go from low integrity level up to medium. There’s a bug listed as an EoP in the Push message Routing Service, but reading the description, Microsoft notes it could lead to an information disclosure. It’s likely this is an error and should be an Information Disclosure bug. The final EoP is in the Azure Portal Windows Admin Center and leads to SYSTEM. However, there’s no patch to remediate this bug. Instead, you need to install the latest version of the Windows Admin Center extension through the Azure Portal by hand.
There are two security feature bypass patches in the March release. The first is a bypass of the MapURLToZone method, which (as expected) allows attackers to bypass MapURLToZone protections. The third bypass is in Kerberos and could allow an attacker to either view some sensitive information or make changes to “disclosed” information. This is a race condition that occurs while the group policy is being reapplied, so the window to exploit this would be extremely small.
Looking at the remaining info disclosure bugs getting patched this month, only two result in info leaks consisting of unspecified memory contents or memory addresses. Ther others provide more interesting results. There are three bugs in the Azure IoT Explorer have some wide-ranging implications. According to Microsoft, exploitation could result in, “device connection information, authentication tokens, request data, file paths, and other information transmitted between the application and the IoT Hub.” The bug in Authenticator almost reads like a security feature bypass, as exploit results in the disclosure of a one‑time sign‑in code or authentication deep link. The attacker would receive the sign‑in information and could potentially use it to authenticate as the user, allowing access to information or services available to that account. The last info disclosure bug is in the Accessibility Infrastructure and allows an attacker to gain secrets or privileged information belonging to the user of the affected application.
There are only four spoofing bugs in the March release. The first is in SharePoint server and manifests as an XSS. The second bug is a Server-Side Request Forgery (SSRF) in the Azure IoT Explorer. The remaining two are a bit more cryptic. The bug in Windows Shell Link Processing results from the “exposure of sensitive information to an unauthorized actor,” and could lead to spoofing. That sounds like credential exposure, but it’s not explicitly called out. The final spoofing bug results from the insufficient verification of data authenticity in Windows App Installer. Again, this sounds vaguely like credential reflection, but without further information, we can only speculate.
Finally, there are four denial-of-service (DoS) bugs in the release, including one that’s listed as publicly known in the .NET Framework. As usual, Microsoft provides no actionable information about these bugs.
No new advisories are being released this month.
Looking Ahead
I plan on being at RSA for the first time in my career, so if you’re around, please stop by and say hello. I like it when people say hello. Otherwise, I’ll be back on April 14 with my assessment of that patch Tuesday release. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
In this excerpt of a TrendAI Research Services vulnerability report, Nikolai Skliarenko and Yazhi Wang of the TrendAI Research team detail a recently patched command injection vulnerability in the Windows Notepad application. This bug was originally discovered by Cristian Papa and Alasdair Gorniak of Delta Obscura. Successful exploitation of this vulnerability could result in the execution of arbitrary commands in the security context of the victim's account. The following is a portion of their
In this excerpt of a TrendAI Research Services vulnerability report, Nikolai Skliarenko and Yazhi Wang of the TrendAI Research team detail a recently patched command injection vulnerability in the Windows Notepad application. This bug was originally discovered byCristian Papa and Alasdair Gorniak of Delta Obscura. Successful exploitation of this vulnerability could result in the execution of arbitrary commands in the security context of the victim's account. The following is a portion of their write-up covering CVE-2026-20841, with a few minimal modifications.
A remote code execution vulnerability has been reported in Microsoft Windows Notepad. The vulnerability is due to improper validation of links in Markdown files.
A remote attacker could exploit this vulnerability by enticing the victim to download and interact with a malicious file. Successful exploitation of this vulnerability could result in the execution of arbitrary commands in the security context of the victim's account.
The Vulnerability
Microsoft Windows comes with a default text-editing application called Windows Notepad. Historically, this application offered only minimal editing features. However, modern versions of Windows include an improved and extended Notepad by default. This new version supports multiple file formats, Markdown rendering, and Copilot-enhanced features.
Markdown is a lightweight markup language that allows users to create formatted text using a simple syntax. It is widely used for writing documents, blog posts, and README files. It supports a wide range of formatting options, including (but not limited to) headers, styled text, numbered and bulleted lists, and links. Markdown supports two main link formats: standard and inline. The standard link format is:
[link-name](link/path)
When rendered, only the link text ("link-name") is shown to the user.
The inline links use the following format:
<link/path>
When rendered, they are transformed into the equivalent standard link:
[link/path](link/path)
A remote code execution vulnerability has been reported in Microsoft Windows Notepad. The vulnerability is due to improper validation of links when handling Markdown files.
When Notepad opens a file, if the application detects that the file requires special rendering (in this case, Markdown), the input file is tokenized. Tokenization in this context means splitting the raw file text into a sequence of small, recognizable pieces ("tokens") that the renderer can process one by one. Detection is performed based on the file extension. Only the ".md" extension was found to trigger Markdown rendering, as the application uses a fixed string comparison to determine whether Markdown should be rendered by calling sub_1400ED5D0(). Markdown files are rendered token by token.
Function sub_140170F60() handles clicking on links in Markdown files. It filters the link value, and passes it to ShellExecuteExW() call.
The filtering performed on the link is found to be insufficient, as it allows using malicious crafted protocol URIs, such as "file://" and "ms-appinstaller://", to execute arbitrary files in the security context of victim. ShellExecuteExW() uses the configured protocol handlers and may expose additional exploitable protocols depending on the system configuration.
A remote attacker could exploit this vulnerability by enticing the victim to download a malicious crafted Markdown file, open it, and click on a malicious link. Successful exploitation of this vulnerability could result in the execution of arbitrary commands in the security context of the victim's account.
Notes • Files using the ".md" file extension are not registered to be opened by Notepad by default. However, when opened manually in Notepad, they are rendered as Markdown, which allows the vulnerability to be triggered. • Any "\\" sequences are converted to "\" in the attacker-controlled link path prior to passing it to the ShellExecuteExW() call.
Source Code Walkthrough
The following code snippet was taken from Notepad.exe version 11.2508. Comments added by TrendAI researchers have been highlighted.
In sub_140170F60():
Detection Guidance
To detect an attack exploiting this vulnerability, the detection device must monitor and parse traffic on the following application protocols that can be used to deliver an attack to exploit this vulnerability: • FTP, over ports 21/TCP, 20/TCP • HTTP, over port 80/TCP • HTTPS, over port 443/TCP • IMAP, over port 143/TCP • NFS, over ports 2049/TCP, 2049/UDP, 111/TCP, 111/UDP • POP3, over port 110/TCP • SMTP, over ports 25/TCP, 587/TCP • SMB/CIFS, over ports 139/TCP, 445/TCP
The detection device must inspect traffic transferring a Markdown file with the file extension ".md". If such a file transfer is found, the detection device must search the file content for links.
The detection device must check whether the link paths contain the strings "file:" or "ms-appinstaller:".
If "file:" was found, the detection device must search the Markdown file contents using the following case-insensitive regular expression:
(\x3C|\[[^\x5d]+\]\()file:(\x2f|\x5c\x5c){4}
If "ms-appinstaller:" was found, the detection device must search the Markdown file contents using the following case-insensitive regular expression:
If any of the regular expressions matches, the link contains a path to a remote resource. The traffic must be considered malicious; an attack exploiting this vulnerability is likely underway. This guidance should also detect the public PoC that was recently posted on GitHub.
Notes
• The string matches are case-insensitive. • The detection guidance is based on the vendor-provided patch. However, the patch restricts the links to local-only files and HTTP(S) URIs, which may result in a huge number of false positives. Because of that, the detection guidance focuses on formats that may access and execute remote files. Due to that, it may result in false negatives. • The vulnerable function uses the configured protocol handlers and may expose additional exploitable protocols depending on the system configuration.
Conclusion
This vulnerability was patched by Microsoft in the February 2026 release cycle. They note no workarounds but do list user interaction as a prerequisite to exploitation. To fully remediate the vulnerability, the proper action is to test and deploy the provided vendor patch.
Special thanks to Nikolai Skliarenko and Yazhi Wang of the TrendAI Research team for providing such a thorough analysis of this vulnerability. For an overview of TrendAI Research services please visit https://go.trendmicro.com/tis/vulnerabilities.html.
The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.
I have survived the biggest Pwn2Own ever, but I’m back in Tokyo for the second Patch Tuesday of 2026. My location never stops Patch Tuesday from coming, so let’s take a look at the latest security patches from Adobe and Microsoft. If you’d rather watch the full video recap covering the entire release, you can check it out here:
Adobe Patches for February 2026For February, Adobe released
I have survived the biggest Pwn2Own ever, but I’m back in Tokyo for the second Patch Tuesday of 2026. My location never stops Patch Tuesday from coming, so let’s take a look at the latest security patches from Adobe and Microsoft. If you’d rather watch the full video recap covering the entire release, you can check it out here:
Adobe Patches for February 2026
For February, Adobe released nine bulletins addressing 44 unique CVEs in Adobe Audition, After Effects, InDesign, Substance 3D Designer, Substance 3D Stager, Adobe Bridge, Substance 3D Modeler, Lightroom Classic, and the Adobe DNG Software Development Kit (SDK). The largest update here is for After Effects, which fixes 13 Critical and two Important rated bugs. The patch for Substance 3D Designer is on the larger side with seven fixes, but only two of those are Critical. On the other hand, the fix for Substance 3D Stager corrects five Critical-rated bugs that could lead to code execution. The Audition patch fixes six bugs, but only one is Critical.
The other patches are smaller in size. The fix for the Adobe DNG Software Development Kit (SDK) corrects two Critical and two Important-rated bugs. The InDesign patch fixes three bugs, but only one is Critical. The update for Adobe Bridge fixes two Critical bug that could lead to code execution. The patch for Lightroom Classic addresses a single Critical bug, and the release is wrapped up with a patch for Substance 3D Modeler that fixes a single, Important-rated memory link.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release, and all of the updates released by Adobe this month are listed as deployment priority 3.
Microsoft Patches for February 2026
This month, Microsoft drops 58 new CVEs in Windows and Windows components, Office and Office Components, Azure, Microsoft Edge (Chromium-based), .NET and Visual Studio, GitHub Copilot, Mailslot FS, Exchange Server, Internet Explorer (!), Power BI, Hyper-V Server, and the Windows Subsystem for Linux. Counting the third-party and Chromium updates listed in the release, it brings the total number of CVEs to 62. One of the bugs in the Windows Graphics component was submitted through the ZDI program. Five of these bugs are rated Critical, two are rated Moderate, and the rest are rated Important in severity.
It’s typical to see this number of CVEs released in February, but the number of bugs under active attack is extraordinarily high. Microsoft lists six bugs being exploited at the time of release, with three of these listed as publicly known. Last month only had a single bug being exploited, although there were twice as many CVEs patched. We’ll see if we’re on our way to another “hot exploit summer” as we saw a few years ago or if this is just an aberration.
Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs under active attack:
- CVE-2026-21510 - Windows Shell Security Feature Bypass Vulnerability This bug is listed as a security feature bypass, but it could also be classified as code execution. An attacker can bypass Windows SmartScreen and Windows Shell security prompts to execute code on a target system. This bug is also listed as publicly known, but Microsoft doesn’t say where. There is user interaction here, as the client needs to click a link or a shortcut file. Still, a one-click bug to gain code execution is a rarity. Definitely test and deploy this fix quickly.
- CVE-2026-21514 - Microsoft Word Security Feature Bypass Vulnerability This bug also requires user interaction in the form of opening a Word document, but that’s all that’s required to bypass protections to dangerous COM/OLE controls. Thankfully, the Preview Pane is not an attack vector here. However, users are well known to open lots of documents they receive in e-mail. This bypass could also result in code execution if the right COM/OLE control is hit. This is also listed as publicly known, so add this to the list to test and deploy quickly.
- CVE-2026-21519 - Desktop Window Manager Elevation of Privilege Vulnerability This is the second month in a row that a DWM was listed as being exploited in the wild. That leads me to believe the first patch didn’t completely resolve the vulnerability. Same as last month, this bug allows attackers to run code with SYSTEM privileges. Bugs of this type are typically paired with a code execution bug to take over a system. As always, Microsoft offers no indication of how widespread these exploits may be.
- CVE-2026-21533 - Windows Remote Desktop Services Elevation of Privilege Vulnerability Don’t let the word “Remote” in the title fool you – this is a local bug that allows attackers to run code with SYSTEM privileges. It’s interesting that Microsoft lists “Improper privilege management” as the root cause for this issue. If the system is running Remote Desktop Services, it’s probably a juicy target for attackers to move laterally after an initial breach. Add this one to the list of patches to test and deploy immediately.
- CVE-2026-21513 - Internet Explorer Security Feature Bypass Vulnerability Although long gone by many measurements, IE does still exist on Windows systems, and calling it always results in a vulnerability somehow. This bug manifests similarly to the Shell bug above, as it requires user interaction but could result in code execution. The bypass here is simply the ability to reach IE, which shouldn’t be possible. Again, test and deploy this fix quickly.
- CVE-2026-21525 - Windows Remote Access Connection Manager Denial of Service Vulnerability It’s unusual to see DoS bugs being used in active attacks, but that’s what we have here. A null pointer deref in the Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally. Most null pointer derefs cause the application or service to crash, but it’s not clear if it will automatically restart. I would exercise caution and patch quickly either way.
Here’s the full list of CVEs released by Microsoft for February 2026:
Microsoft Edge (Chromium-based) for Android
Spoofing Vulnerability
Moderate
6.5
No
No
Spoofing
* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.
† Indicates further administrative actions are required to fully address the vulnerability.
Moving on to the Critical-rated bugs, the patch for Azure Front Door sounds frightening, but Microsoft has already fixed the bug and is just now documenting it. That’s also true for the bugs in Azure Arc and Azure Function. There are two Critical-rated bugs in the ACI Confidential Containers. The first allows a container escape while the second discloses secret tokens and keys. Either way, you’ll want to handle those quickly.
Taking a look at the other code execution vulnerabilities in this month’s release, we start with a frightening looking bug in Azure SDK for Python that has the highest CVSS this month of 9.8. A remote, unauthenticated attacker code gain code execution on an affected system via a maliciously crafted continuation token. It’s not clear why this isn’t rated Critical, but I would treat it as such. The three bugs in Hyper-V are actually local open-and-own bugs that require a user to open a malicious file on an affected system. That’s also true for the bug in Notepad. The bug in Power BI is confusing, because Microsoft says it requires authentication and could lead to an attacker running code as an authenticated user. There’s the poorly named “Azure Local Remote Code Execution Vulnerability”, but it requires a machine-in-the-middle (MitM) to exploit. The bug in Defender for Endpoint Linux is restricted to local subnets, but you’ll need to enable auto provisioning to get the patch. The final code execution bugs addressed this month are in GitHub Copilot. Two are command injections and the other is a Time-of-check time-of-use (toctou) race condition, but both could end up in code execution on affected systems.
Patches for Elevation of Privilege (EoP) bugs make up nearly 50% of this release, but most simply lead to local attackers executing their code at SYSTEM-level privileges or administrative privileges. There are only two of note. The first is a command injection bug in GitHub Copilot that leads to executing code at the level of the targeted application. The second is a bug in a kernel that leads to SYSTEM but could also be used for a sandbox escape.
There’s a unusually high number of spoofing bugs in this month’s release, and the ones for Outlook are the most troubling. First, the Preview Pane is an attack vector. Secondly, the bugs could be used to relay NTLM credentials via just an email, which could result in credential disclosure. And you’ll need multiple patches to fully address these bugs. At least they can be applied in any order. There’s a UI misrepresentation bug in Exchange Server that could allow an attacker to either view some sensitive information or “make changes to disclosed information”. At what point does data become disclosed? That odd phrasing makes me think they are using AI to right some of their descriptions. The phrasing also appears in the patch for NTLM. That bug is triggered by opening a specially crafted Office doc, and while they explicitly say it could be used to relay NTLM creds, it sure seems that way. The patch for .NET and Visual Studio fixes a bug that allows attackers to bypass header validation, resulting in the service accepting a message it should reject. Finally, the bug in Azure HDInsight is really just a cross-site scripting (XSS) bug. The caveat here is that you need to restart Ambari server in both of the head nodes to have this fix updated. There is also an XSS in Azure Devops Server, but at least it is labelled as such.
There are a couple of additional security feature bypass bugs to discuss. The first is in Hyper-V and bypasses the Virtualization-based Security feature. The other is in GitHub Copilot and Visual Studio Code. It’s another command injection, but this one can be used to bypass authentication. Neat.
Looking at the remaining info disclosure bugs getting patched this month, most simply result in info leaks consisting of unspecified memory contents or memory addresses. The exception is the bug in Azure IoT Explorer. This bug could be used to view the contents of the target user’s local file system.
We end this month’s release with two DoS bugs: one in LDAP and one in GDI+. Neither descriptions from Microsoft provide any usable information.
No new advisories are being released this month.
Looking Ahead
I plan on being back home for the March release but wherever I’m at, you can rest assured that March 10, I’ll be here to provide my assessment of the release. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
In this excerpt of a TrendAI Research Services vulnerability report, Jonathan Lein and Simon Humbert of the TrendAI Research team detail a recently patched command injection vulnerability in the Arista NG Firewall. This bug was originally discovered by Gereon Huppertz and reported through the TrendAI Zero Day Initiative (ZDI) program. Successful exploitation could result in arbitrary command execution under the security context of the root user. The following is a portion of their write-up cover
In this excerpt of a TrendAI Research Services vulnerability report, Jonathan Lein and Simon Humbert of the TrendAI Research team detail a recently patched command injection vulnerability in the Arista NG Firewall. This bug was originally discovered byGereon Huppertz and reported through the TrendAI Zero Day Initiative (ZDI) program. Successful exploitation could result in arbitrary command execution under the security context of the root user. The following is a portion of their write-up covering CVE-2025-6798, with a few minimal modifications.
A command injection vulnerability has been reported in Arista NG Firewall. The vulnerability is due to improper validation of user data in the diagnostics component.
A remote, authenticated attacker could exploit this vulnerability by sending crafted requests to the target server. Successful exploitation could result in arbitrary command execution under the security context of the root user.
The Vulnerability
Arista NG Firewall is an open-source firewall appliance. It was originally developed under the name Untangle. Some features of Arista Firewall include spam blocking, bandwidth control, and IPS, etc. NG Firewall can be managed through a web user interface, or a JSON-RPC API using HTTP.
HTTP is a request/response protocol described in RFCs 7230 - 7237 and other RFCs. A request is sent by a client to a server, which in turn sends a response back to the client. An HTTP request consists of a request line, various headers, an empty line, and an optional message body
where CRLF represents the new line sequence Carriage Return (CR) followed by Line Feed (LF). SP represents a space character. Parameters can be passed from the client to the server as name-value pairs in either the Request-URI, or in the message-body, depending on the Method used and Content-Type header. For example, a simple HTTP request passing a parameter named “param” with value “1”, using the GET method might look like:
A corresponding HTTP request using the POST method might look like:
If there is more than one parameter/value pair, they are encoded as '&'-delimited name=value pairs:
var1=value1&var2=value2&var3=value3...
The component relevant to this report is the JSON-RPC endpoint. A JSON object has the following syntax:
• An object is enclosed in curly braces {}. • An object consists of zero or more items delimited by a comma (",") character. • An item consists of a key and a value. A key is delimited from its value by a colon (":") character. • A key must be a string (enclosed in quotes). • A value must be a valid type. Valid types include string, number, JSON object, array, Boolean, or null. • An array is an object enclosed in square braces []. An array consists of zero or more string, number, JSON object, array, Boolean or null type-objects delimited by a comma (",") character.
An example JSON object is as follows:
The following is an example of a JSON-RPC request to the runTroubleshooting() method that is relevant to this report:
A command injection vulnerability has been reported in Arista NG Firewall. The vulnerability is due to improper validation of user data that is used in a command line. The runTroubleshooting() method of the class NetworkManagerImpl will be used to handle JSON-RPC requests to the runTroubleshooting method. The command parameter passed to the method will be the first element in the params JSON array in the body of the request. This value must be one of the strings in the TroubleshootingCommands enum defined in the NetworkManager class. The second parameter of the method will contain additional arguments passed to the JSON-RPC call.
The method will first iterate through each of the additional arguments and combine each key value pair into a single string, separated by a "=" character that will later be used as an environment variable. Next, a switch case statement is used to ensure the provided command is one of the values in TroubleshootingCommands. Each command value will be processed using the same code.
The method will next iterate through each environment variable, and inspect it for the following common command injection strings:
; & | > $(
If any are found, the request will be rejected, and an exception is thrown. If each environment variable is valid, the method execEvil() is called to create and execute a command line for the network-troubleshooting.sh script, with the environment variables passed as a parameter. The execEvil() method in turn will call Runtime.getRuntime().exec() to run the script, with the second parameter passing the environment variables that will be used by the script. Each command value will have a function in network-troubleshooting.sh, such as run_dns() for the “DNS” command value. Each function will follow a similar structure, by creating a CMD string using the environment variables passed by exec() and then calling eval to execute it.
However, the values of the parameters passed to the runTroubleshooting JSON-RPC method are not completely sanitized before it is used in the command line. While the parameters passed to the endpoint are inspected for some shell metacharacters, the list is incomplete. For example, the backtick character (`) is not included in the check and may be used to inject a command.
For example:
The example above will write and execute a python script on the server to achieve code execution without using any restricted characters.
A remote, authenticated attacker could exploit this vulnerability by sending a JSON-RPC request to the runTroubleshooting method containing a crafted “HOST” or “URL” parameter containing shell metacharacters not present in the runTroubleshooting() check. Successful exploitation in the worst case will result in arbitrary command execution under the security context of the root user.
Detection Guidance
To detect an attack exploiting this vulnerability, the detection device must monitor and parse traffic on the following ports: - HTTP, over port 80/TCP - HTTPS, over port 443/TCP
Traffic to Arista NG Firewall may be encrypted and must be decrypted prior to applying this guidance.
The detection device must search for HTTP POST requests made to the request-URI /admin/JSON-RPC. If found, the body of the request must be parsed as JSON. The JSON object in the body must be inspected for a method key, and its value must be inspected to contain the substring runTroubleshooting. If found, the object must also be inspected for the JSON key "params", with a value containing a JSON array. The first entry in the JSON array must be inspected for any of the following strings:
If found, the second entry in the array must be inspected for a JSON object, and inspected for any of the following keys:
If either is found, the corresponding value to the key must be inspected for any of the following command injection characters:
If found, the traffic should be treated as suspicious; an attack exploiting this vulnerability is likely underway.
The following regular expression can be applied to find malicious requests:
• String matching on the request-URI and all JSON strings should be done in a case sensitive manner. • The JSON strings may be encoded and must be decoded prior to applying this guidance. • The request-URI may be URL-encoded and must be decoded before applying this guidance.
Conclusion
This vulnerability has been addressed by Arista with their Security Advisory 0123. They note that the Arista Edge Threat Management - Arista Next Generation Firewall (Formerly Untangle) is affected by this bug, but other product versions are not. They also state the following mitigation can be applied:
Do not allow non-authorized administrative access or access to the administrative browser.
However, the more appropriate action is to apply the provided vendor security patch by upgrading to version 17.4 or higher.
Special thanks to Jonathan Lein and Simon Humbert of the TrendAI Research team for providing such a thorough analysis of this vulnerability. For an overview of TrendAI Research services, please visit https://go.trendmicro.com/tis/vulnerabilities.html.
The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.
The last day of Pwn2Own Automotive 2026 saw the world’s top security researchers take their final shots at the latest automotive systems. Over three days of intense competition, $1,047,000 USD was awarded for 76 unique 0-day vulnerabilities, with bold exploits, clever techniques, and collisions keeping the action thrilling throughout.By the end, Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io claimed the title of Master of Pwn,
The last day of Pwn2Own Automotive 2026 saw the world’s top security researchers take their final shots at the latest automotive systems. Over three days of intense competition, $1,047,000 USD was awarded for 76 unique 0-day vulnerabilities, with bold exploits, clever techniques, and collisions keeping the action thrilling throughout.
By the end, Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io claimed the title of Master of Pwn, earning 28 points and $215,500 USD.
Follow the final updates on Twitter, Mastodon, LinkedIn, and Bluesky, and join the conversation using #Pwn2OwnAutomotive and #P2OAuto.
SUCCESS / COLLISON - Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io targeted the Alpine iLX-F511, demonstrating one vulnerability previously used by another contestant, earning $2,500 USD and 1 Master of Pwn point. #Pwn2Own #P2OAuto
SUCCESS / COLLISON - Slow Horses of Qrious Secure (@qriousec) targeted the Grizzl-E Smart 40A but encountered two bug collisions, still earning $5,000 USD and 2 Master of Pwn points.
SUCCESS / COLLISON - Team MST targeted the Kenwood DNR1007XR, demonstrating one bug but running into a collision, earning $2,500 USD and 1 Master of Pwn point.
SUCCESS - PetoWorks (@petoworks) targeted the Grizzl-E Smart 40A, exploiting one buffer overflow bug, and earned $10,000 USD and 4 Master of Pwn points.
SUCCESS - Bongeun Koo (@kiddo_pwn) and Evangelos Daravigkas (@freddo_1337) of Team DDOS targeted the Alpine iLX‑F511, exploiting a stack‑based buffer overflow to earn $5,000 USD and 2 Master of Pwn points.
SUCCESS - Viettel Cyber Security (@vcslab) targeted the Sony XAV‑9500ES, exploiting a heap‑based buffer overflow to achieve arbitrary code execution, earning $10,000 USD and 2 Master of Pwn points. #Pwn2Own #P2OAuto
SUCCESS / COLLISON - Qrious Secure (@qriousec) targeted the Kenwood system, demonstrating three bugs - one n-day and two unique vulnerabilities (incorrect permission assignment and a race condition), earning $4,000 USD and 1.75 Master of Pwn points.
SUCCESS - Boom! or shall we say Doom? Game On! Aapo Oksman, Elias Ikkelä-Koski and Mikael Kantola of Juurin Oy exploit the Alpitronic HYC50 with a TOCTOU bug - and installed a playable version of Doom to boot. They earn $20,000 and 4 Master of Pwn points. #Pwn2Own #P2OAuto
SUCCESS / COLLISON - Nguyen Thanh Dat (@rewhiles) of Viettel Cyber Security (@vcslab) targeted the Kenwood DNR1007XR, demonstrating one bug but encountering a collision, earning $2,500 USD and 1 Master of Pwn point.
SUCCESS / COLLISON - Autocrypt (Hoyong Jin, Jaewoo Jeong, Chanhyeok Jung, Minsoo Son, and Kisang Choi) targeted the Alpine iLX-F511, demonstrating two vulnerabilities to gain root access. One collided with a previously known issue, earning $3,000 USD and 1.25 Master of Pwn points.
SUCCESS - Elias Ikkelä-Koski and Aapo Oksman of Juurin Oy targeted the Kenwood DNR1007XR, demonstrating a link-following vulnerability to earn $5,000 USD and 2 Master of Pwn points.
SUCCESS - Nam Ha Bach and Vu Tien Hoa of the FPT NightWolf Team targeted the Alpine iLX-F511, exploiting one unique vulnerability to gain root access and earning $5,000 USD and 2 Master of Pwn points.
SUCCESS / COLLISON - Ryo Kato (@Pwn4S0n1c) targeted the Autel MaxiCharger AC Elite Home 40A, demonstrating a three-bug chain but encountering one collision, still earning $16,750 USD and 3.5 Master of Pwn points.
Day Two of Pwn2Own Automotive 2026 was packed with action, and the stakes continued to rise. Security researchers returned to the Pwn2Own stage, probing and challenging the latest automotive systems as the competition intensified. New exploits, unexpected twists, and standout performances emerged throughout the day - follow along here for daily updates as the race for Master of Pwn heats up. Following an action-packed Day One, where $516,500 USD was awarded for 37 unique 0-day vulnerabilities, D
Day Two of Pwn2Own Automotive 2026 was packed with action, and the stakes continued to rise. Security researchers returned to the Pwn2Own stage, probing and challenging the latest automotive systems as the competition intensified. New exploits, unexpected twists, and standout performances emerged throughout the day - follow along here for daily updates as the race for Master of Pwn heats up.
Following an action-packed Day One, where $516,500 USD was awarded for 37 unique 0-day vulnerabilities, Day Two added another $439,250 USD and 29 unique 0-days, bringing the event totals to $955,750 USD with 66 unique vulnerabilities overall. Fuzzware.io holds a commanding lead for Master of Pwn, but with one day to go, anything can still happen. We’ll see what the final day of the contest brings.
Stay up to date throughout Day Two by following us on Twitter, Mastodon, LinkedIn, and Bluesky, and join the conversation using #Pwn2Own Automotive and #P2OAuto.
SUCCESS - Inhyung Lee, Seokhun Lee, Chulhan Park, Wooseok Kim, and Yeonseok Jang of Team MAMMOTH exploited a command injection vulnerability against the Alpine iLX-F511, earning $10,000 USD and 2 Master of Pwn points.
FAILURE - Autocrypt - Hoyong Jin, Jaewoo Jeong, Chanhyeok Jung, Minsoo Son, and Kisang Choi - targeted the Grizzl‑E Smart 40A with the Charging Connector Protocol/Signal Manipulation add‑on but were unable to demonstrate the vulnerability within the allotted time.
SUCCESS - Julien COHEN‑SCALI of FuzzingLabs (@FuzzingLabs) targeted the Phoenix Contact CHARX SEC‑3150, chaining two vulnerabilities - an authentication bypass and privilege escalation - to earn $20,000 USD and 4 Master of Pwn points.
SUCCESS - Neodyme AG (@Neodyme) exploited a buffer overflow vulnerability (CWE‑120) in Round 3 to achieve privileged code execution on the Sony XAV‑9500ES, earning $10,000 USD and 2 Master of Pwn points. #Pwn2Own #P2OAuto
SUCCESS - Hank Chen (@hank0438) of InnoEdge Labs exploited an exposed dangerous method against the Alpitronic HYC50 – Lab Mode, earning $40,000 USD and 4 Master of Pwn points.
SUCCESS / COLLISON - Nguyen Thanh Dat (@rewhiles) of Viettel Cyber Security (@vcslab) targeted the Alpine iLX-F511, hitting a one-vulnerability collision with a previous attempt and earning $2,500 USD and 1 Master of Pwn point.
SUCCESS / COLLISON - BoredPentester (@BoredPentester) targeted the Grizzl‑E Smart 40A with the Charging Connector Protocol/Signal Manipulation add‑on, combining two bugs to earn $20,000 USD and 3 Master of Pwn points. #Pwn2Own #P2OAuto
SUCCESS / COLLISON - Bongeun Koo (@kiddo_pwn) and Evangelos Daravigkas (@freddo_1337) of Team DDOS targeted the Kenwood DNR1007XR, exploiting an n‑day command injection to earn $4,000 USD and 1 Master of Pwn point.
SUCCESS - Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) targeted the Kenwood DNR1007XR in Round 6, exploiting a command injection vulnerability to earn $5,000 USD and 2 Master of Pwn points.
SUCCESS / COLLISON - Kazuki Furukawa (@N4NU) of GMO Cybersecurity by Ierae targeted the Alpine iLX-F511, hitting a one-vulnerability collision with a previous attempt and earning $2,500 USD and 1 Master of Pwn point. #Pwn2Own #P2OAuto
SUCCESS / COLLISON - Donggeon Kim (@gbdngb12), Hoon Nam (@pwnstar96), Jaeho Jeong (@jeongZero), Sangsoo Jeong (@sangs00Jeong), and Wonyoung Jung (@nonetype_pwn) of 78ResearchLab targeted the Kenwood DNR1007XR, exploiting one n-day vulnerability along with two collisions to earn $2,500 USD and 1 Master of Pwn point.
SUCCESS - Xilokar (xilokar@mamot.fr) targeted the Alpitronic HYC50 – Lab Mode, exploiting one bug to earn $20,000 USD and 4 Master of Pwn points.
SUCCESS / COLLISON - Hyeongseok Lee (@fluorite_pwn), Yunje Shin (@YunjeShin), Chaeeul Hyun (@yskm_Gunter), Ingyu Yang (@Mafty5275), Hoseok Kang (@cl4y419), Seungyeon Park (@vvsy46), and Wonjun Choi (@won6_choi) of BoB::Takedown targeted the Grizzl-E Smart 40A, hitting one collision and one unique 0-day, earning $15,000 USD and 3 Master of Pwn points.
SUCCESS - Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io targeted the Phoenix Contact CHARX SEC-3150 in Round 5, exploiting three bugs with two add-ons to earn $50,000 USD and 7 Master of Pwn points.
SUCCESS / COLLISON - Slow Horses of Qrious Secure (@qriousec) targeted the Alpine iLX-F511, resulting in a single vulnerability collision with a previous attempt, earning $2,500 USD and 1 Master of Pwn point.
FAILURE - Autocrypt (Hoyong Jin, Jaewoo Jeong, Chanhyeok Jung, Minsoo Son, and Kisang Choi) targeted the Autel MaxiCharger AC Elite Home 40A with the Charging Connector Protocol/Signal Manipulation add-on, but ran out of attempts before the exploit could be demonstrated.
SUCCESS - BoredPentester (@BoredPentester) targeted the Kenwood DNR1007XR, demonstrating a command injection vulnerability to earn $5,000 USD and 2 Master of Pwn points.
SUCCESS - Rob Blakely of Technical Debt Collectors targeted Automotive Grade Linux, chaining three bugs - an out-of-bounds read, memory exhaustion, and a heap overflow - to earn $40,000 USD and 4 Master of Pwnpoints. #Pwn2Own #P2OAuto
SUCCESS / COLLISON - PHP Hooligans / Midnight Blue (@midnightbluelab) targeted the Autel MaxiCharger AC Elite Home 40A with the Charging Connector Protocol/Signal Manipulation add-on, hitting a full collision on a two-bug chain, earning $20,000 USD and 3 Master of Pwn points. #Pwn2Own #P2OAuto
SUCCESS - Synacktiv (@synacktiv) targeted the Autel MaxiCharger AC Elite Home 40A with the Charging Connector Protocol/Signal Manipulation add‑on. In Round 2, they exploited one stack‑based buffer overflow, earning $30,000 USD and 5 Master of Pwn points.
SUCCESS - Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io targeted the ChargePoint Home Flex (CPH50-K) with the Charging Connector Protocol/Signal Manipulation add-on, exploiting one command injection bug to earn $30,000 USD and 5 Master of Pwn points. #Pwn2Own #P2OAuto
FAILURE - PetoWorks (@petoworks) targeted the Alpine iLX-F511 but was unable to demonstrate their exploit within the allotted time.
SUCCESS - Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) targeted the ChargePoint Home Flex (CPH50-K) with the Charging Connector Protocol/Signal Manipulation add-on, exploiting two bugs to earn $30,000 USD and 5 Master of Pwn points.
SUCCESS / COLLISON - PetoWorks (@petoworks) targeted the Kenwood DNR1007XR, hitting one bug collision earning $2,500 USD and 1 Master of Pwn point.
SUCCESS / COLLISON - Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io targeted the Grizzl-E Smart 40A with the Charging Connector Protocol/Signal Manipulation add-on, resulting in two bug collisions and earning $15,000 USD and 3 Master of Pwn points.
SUCCESS / COLLISON - Bongeun Koo (@kiddo_pwn) and Evangelos Daravigkas (@freddo_1337) of Team DDOS targeted the Phoenix Contact CHARX SEC-3150 with the Charging Connector Protocol/Signal Manipulation add-on, demonstrating six bugs but encountering a collision, still earning $19,250 USD and 4.75 Master of Pwn points.
SUCCESS - Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) targeted the Alpine iLX-F511, exploiting two unique vulnerabilities to gain root access, earning $5,000 USD and 2 Master of Pwn points.
SUCCESS / COLLISON - Evan Grant (@stargravy) targeted the Grizzl-E Smart 40A with the Charging Connector Protocol/Signal Manipulation add-on, hitting two bug collisions, still earning $15,000 USD and 3 Master of Pwn points.
SUCCESS / COLLISON - Hyeonjun Lee (@gul9ul), Younghun Kwon (@d0kk2bi), Hyeokjong Yun (@dig06161), Dohwan Kim (@neko__hat), Hanryeol Park (@hanR0724), Hyojin Lee (@meixploit), Jinyeong Yoon, and Youngmin Cho (@ZIEN0621) of ZIEN, Inc. targeted the ChargePoint Home Flex (CPH50-K), demonstrating two unique bugs (symlink following and command injection) but encountered a collision with a previous attempt - still earning $16,750 USD and 3.5 Master of Pwn points.
SUCCESS / COLLISON - Hyeongseok Lee (@fluorite_pwn), Yunje Shin (@YunjeShin), Chaeeul Hyun (@yskm_Gunter), Ingyu Yang (@Mafty5275), Hoseok Kang (@cl4y419), Seungyeon Park (@vvsy46), and Wonjun Choi (@won6_choi) of BoB::Takedown targeted the Phoenix Contact CHARX SEC-3150, demonstrating three bugs, but ran into two collisions, earning $6,750 USD and 2.75 Master of Pwn points.
Welcome to Day One of Pwn2Own Automotive 2026! Today, 30 entries took the Pwn2Own stage to target the latest automotive systems, as the world’s top security researchers push technology to its limits. Exploits, surprises, and breakthrough discoveries are unfolding. After Day One, we awarded $516,500 for 37 unique 0-days! Fuzzware.io is currently in the lead for Master of Pwn, but Team DDOS is right on their heels. Stay tuned tomorrow for more results and surprises. Stay up to date by following u
Welcome to Day One of Pwn2Own Automotive 2026! Today, 30 entries took the Pwn2Own stage to target the latest automotive systems, as the world’s top security researchers push technology to its limits. Exploits, surprises, and breakthrough discoveries are unfolding.
After Day One, we awarded $516,500 for 37 unique 0-days! Fuzzware.io is currently in the lead for Master of Pwn, but Team DDOS is right on their heels. Stay tuned tomorrow for more results and surprises.
Stay up to date by following us on Twitter, Mastodon, LinkedIn, and Bluesky, and join the conversation using #Pwn2Own Automotive and #P2OAuto for continuous coverage.
FAILURE - Unfortunately, Team Hacking Group targeting Kenwood DNR1007XR in the In-Vehicle Infotainment (IVI) category could not get their exploit working within the time allotted.
SUCCESS - Neodyme AG (@Neodyme) used a stack based buffer overflow to get a root shell on the Alpine iLX-F511, earning $20,000 USD and 2 Master of Pwn points.
SUCCESS - Fuzzware.io ( @ScepticCtf, @diff_fusion, @SeTcbPrivilege) chained two vulnerabilities (CWE-306, CWE-347) to achieve code execution on the Autel charger and manipulate the charging signal, earning $50,000 USD and 5 Master of Pwn points. Full win with the add-on.
SUCCESS - Taejin Kim (@tae3pwn), Junsu Yeo (@junactually), Sunmin Park (@sunminpark4503), Sungmin Son (@_ssm98), and Hoseok Lee of SKShieldus (@EQSTLab) of 299 exploited a hardcoded credential (CWE-798) to achieve code execution via CWE-494 on the Grizzl-E Smart 40A, earning $40,000 USD and 4 Master of Pwn points.
SUCCESS - Bongeun Koo (@kiddo_pwn) and Evangelos Daravigkas (@freddo_1337) of Team DDOS exploited two bugs, including a command injection, against the ChargePoint Home Flex. Add-on failed, but still earned $40,000 USD and 4 Master of Pwn points.
SUCCESS - Cyrill Bannwart, Emanuele Barbeno, Yves Bieri, Lukasz D., and Urs Mueller of Compass Security (@compasssecurity) exploited one exposed dangerous method/function bug on the Alpine iLX-F511, winning Round 2 for $10,000 USD and 2 Master of Pwn points.
SUCCESS - PetoWorks (@petoworks) chained three bugs - including Denial of Service (DoS), a race condition, and command injection - against the Phoenix Contact CHARX SEC-3150, winning Round 1 for $50,000 USD and 5 Master of Pwn points with the signal manipulation add-on.
SUCCESS - Synacktiv (@synacktiv) chained three vulnerabilities to gain root-level code execution on the Sony XAV-9500ES, earning a full win of $20,000 USD and 2 Master of Pwn points.
SUCCESS - Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io exploited an n-day command injection against Kenwood, earning $8,000 USD and 1 Master of Pwn point.
SUCCESS - Yannik Marchand (@kinnay) exploited a single out-of-bounds write to achieve a full win against the Kenwood DNR1007XR, earning $20,000 USD and 2 Master of Pwn points.
FAILURE - Hyunseok Yun, Heaeun Moon, and Eungyo Seo of CIS targeted the Alpine iLX-F511 but were unable to complete their exploit within the allotted time.
SUCCESS / COLLISON - Cyrill Bannwart, Emanuele Barbeno, Yves Bieri, Lukasz D., and Urs Mueller of Compass Security (@compasssecurity) earned $25,000 USD and 4 Master of Pwn points with the Charging Connector Protocol/Signal Manipulation add‑on against the Grizzl‑E Smart 40A, chaining an authentication bypass (CWE‑306) to remote code execution via CWE‑494.
FAILURE - Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io targeted the EMPORIA Pro Charger Level 2 with the Charging Connector Protocol/Signal Manipulation add‑on but were unable to complete their exploit within the allotted time.
SUCCESS / COLLISON - Kazuki Furukawa (@N4NU) of GMO Cybersecurity chained three bugs against Kenwood - including an n‑day hard‑coded credential, incorrect permissions on a critical resource, and command injection - to earn $8,000 USD and 1.75 Master of Pwn points.
SUCCESS / COLLISON - Bongeun Koo (@kiddo_pwn) and Evangelos Daravigkas (@freddo_1337) of Team DDOS targeted the Autel MaxiCharger AC Elite Home 40A with the Charging Connector Protocol/Signal Manipulation add-on. Due to a full collision with a previous attempt, they earned $10,000 USD and 2 Master of Pwn points.
SUCCESS / COLLISON - Chumy Tsai (@rm_rf_chumy), Jimmy Liu (@DrmnSamoLiu), and Jim Chen (@asef18766) of Cycraft Technology (@cycraft_corp) targeted the Grizzl-E Smart 40A. Due to a 2-bug collision, they earned $10,000 USD and 2 Master of Pwn points.
SUCCESS - Mia Miku Deutsch (@newbe3e) exploited a stack-based buffer overflow against the Alpine iLX‑F511, earning $10,000 USD and 2 Master of Pwn points.
SUCCESS - Synacktiv (@synacktiv) chained two vulnerabilities - an information leak and an out‑of‑bounds write - to achieve a full win in the Tesla Infotainment USB‑based Attack category, earning $35,000 USD and 3.5 Master of Pwn points.
SUCCESS / COLLISON - Donggeon Kim (@gbdngb12), Hoon Nam (@pwnstar96), Jaeho Jeong (@jeongZero), Sangsoo Jeong (@sangs00Jeong), and Wonyoung Jung (@nonetype_pwn) of 78ResearchLab hit a one‑vulnerability collision against the Alpine iLX‑F511, earning $5,000 USD and 1 Master of Pwn point.
SUCCESS - Giuseppe Calì (_gcali) and 8cf53a459714977f6bb11ee2d90416bf1675fa0e2451d80cf55a06d0b6ac2 of Team Zeroshi exploited five bugs against the Phoenix Contact CHARX SEC-3150, securing a Round 2 win for $20,000 USD and 4 Master of Pwn points.
SUCCESS / COLLISON - Bongeun Koo (@kiddo_pwn) and Evangelos Daravigkas (@freddo_1337) of Team DDOS hit a collision against the Grizzl-E Smart 40A with the Charging Connector Protocol/Signal Manipulation add-on, combining three duplicate bugs and one new bug to earn $22,500 USD and 3.5 Master of Pwn points.
FAILURE - Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io targeted Sony XAV-9500ES but were unable to get their exploit working within the allotted time.
FAILURE - Viettel Cyber Security (@vcslab) targeted the ChargePoint Home Flex (CPH50-K) but were unable to get their exploit working within the allotted time.
SUCCESS - Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io achieved a full win against the Alpitronic HYC50 - Field Mode, exploiting a single out-of-bounds write to earn $60,000 USD and 6 Master of Pwn points.
SUCCESS - Dong hee Kim (@heehee_0219_) and Jong geon Kim (@kimjor22) of Team K exploited two vulnerabilities - an out-of-bounds read and a stack-based buffer overflow - against the Alpine iLX-F511, earning $10,000 USD and 2 Master of Pwn points.
SUCCESS - Interrupt Labs (@InterruptLabs) scored a Round 3 win against the Kenwood DNR1007XR, exploiting a unique heap-based buffer overflow to earn $10,000 USD and 2 Master of Pwn points. #Pwn2Own #P2OAuto
FAILURE - Jonathan Conrad (@jwconrad.bsky.social) targeted the Grizzl-E Smart 40A but was unable to reproduce the vulnerability within the allotted time.
SUCCESS / COLLISON - TienPP of FPT NightWolf hit a collision against the Kenwood DNR1007XR, chaining three bugs - including an n‑day hard‑coded credential and two 0‑days (incorrect default permissions and symlink following) - to earn $8,000 USD and 1.75 Master of Pwn points.
SUCCESS - @ExLuck99 and @gr4ss341 of ANHTUD chained two vulnerabilities (CWE‑125 and CWE‑122) to achieve code execution on the Sony XAV‑9500ES, earning $10,000 USD and 2 Master of Pwn points in Round 2.
SUCCESS / COLLISON - Donggeon Kim (@gbdngb12), Hoon Nam (@pwnstar96), Jaeho Jeong (@jeongZero), Sangsoo Jeong (@sangs00Jeong), and Wonyoung Jung (@nonetype_pwn) of 78ResearchLab targeted the Phoenix Contact CHARX SEC‑3150, chaining four bugs (two unique and two collisions) to earn $15,000 USD and 3 Master of Pwn points.
おかえりなさい (Welcome back!) The third annual Pwn2Own Automotive competition has returned to Automotive World in Tokyo, and the excitement is building. This year marks a major milestone for Pwn2Own, with a record 73 entries. We’ve brought together some of the world’s most talented security researchers to take on the latest automotive components, pushing them to their limits in a real-world testing environment.Earlier today, we held the random drawing to determine the order of attempts, setting the st
おかえりなさい (Welcome back!) The third annual Pwn2Own Automotive competition has returned to Automotive World in Tokyo, and the excitement is building. This year marks a major milestone for Pwn2Own, with a record 73 entries. We’ve brought together some of the world’s most talented security researchers to take on the latest automotive components, pushing them to their limits in a real-world testing environment.
Earlier today, we held the random drawing to determine the order of attempts, setting the stage for an exciting lineup of demonstrations and discoveries. Below is the official schedule based on that draw. All times are listed in Tokyo local time and may change as the competition progresses - updates will be posted as the event unfolds.
In case you missed it, you can watch the draw here.
Team Hacking Group targeting Kenwood DNR1007XR in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io targeting Autel MaxiCharger AC Elite Home 40A EV Charger in the Level 2 Electric Vehicle Chargers category with the Charging Connector Protocol/Signal Manipulation add-on for a total of $50,000 and 5 Master of Pwn points.
Neodyme AG (@Neodyme) targeting Alpine iLX-F511 in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Bongeun Koo (@kiddo_pwn) and Evangelos Daravigkas (@freddo_1337) of Team DDOS targeting ChargePoint Home Flex (Model CPH50-K) in the Level 2 Electric Vehicle Chargers category with the Charging Connector Protocol/Signal Manipulation add-on for a total of $50,000 and 5 Master of Pwn points.
Taejin Kim (@_tae3_), Junsu Yeo (@junactually), Sunmin Park (@sunminpark4503), Sungmin Son (@_ssm98), Hoseok Lee of SKShieldus (@EQSTLab) of 299 targeting Grizzl-E Smart 40A in the Level 2 Electric Vehicle Chargers category for a total of $40,000 and 4 Master of Pwn points.
Wednesday, January 21 – 1200
PetoWorks (@petoworks) targeting Phoenix Contact CHARX SEC-3150 in the Level 2 Electric Vehicle Chargers category with the Charging Connector Protocol/Signal Manipulation add-on for a total of $50,000 and 5 Master of Pwn points.
Wednesday, January 21 – 1230
Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io targeting Kenwood DNR1007XR in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Synacktiv (@synacktiv) targeting Sony XAV-9500ES in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Cyrill Bannwart, Emanuele Barbeno, Yves Bieri, Lukasz D., and Urs Mueller of Compass Security (@compasssecurity) targeting Alpine iLX-F511 in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Wednesday, January 21 – 1400
Yannik Marchand (@kinnay) targeting Kenwood DNR1007XR in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Hyunseok Yun, Heaeun Moon, Eungyo Seo of CIS targeting Alpine iLX-F511 in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points
Synacktiv (@synacktiv) targeting Infotainment USB-based Attack in the Tesla Infotainment category for a total of $35,000 and 3.5 Master of Pwn points.
Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io targeting EMPORIA Pro Charger Level 2 in the Level 2 Electric Vehicle Chargers category with the Charging Connector Protocol/Signal Manipulation add-on for a total of $50,000 and 5 Master of Pwn points.
Cyrill Bannwart, Emanuele Barbeno, Yves Bieri, Lukasz D., Urs Mueller of Compass Security (@compasssecurity) targeting Grizzl-E Smart 40A in the Level 2 Electric Vehicle Chargers category with the Charging Connector Protocol/Signal Manipulation add-on for a total of $50,000 and 5 Master of Pwn points.
Wednesday, January 21 – 1500
Bongeun Koo (@kiddo_pwn) and Evangelos Daravigkas (@freddo_1337) of Team DDOS targeting Autel MaxiCharger AC Elite Home 40A EV Charger in the Level 2 Electric Vehicle Chargers category with the Charging Connector Protocol/Signal Manipulation add-on for a total of $50,000 and 5 Master of Pwn points.
Wednesday, January 21 – 1530
Kazuki Furukawa (@_N4NU_) of GMO Cybersecurity by Ierae targeting Kenwood DNR1007XR in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Mia Miku Deutsch (@newbe3e) targeting Alpine iLX-F511 in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io targeting Alpitronic HYC50 - Field Mode in the Level 3 Electric Vehicle Chargers category for a total of $60,000 and 6 Master of Pwn points.
Chumy Tsai (@rm_rf_chumy), Jimmy Liu (@DrmnSamoLiu), and Jim Chen (@asef18766) at Cycraft Technology (@cycraft_corp) targeting Grizzl-E Smart 40A in the Level 2 Electric Vehicle Chargers category for a total of $40,000 and 4 Master of Pwn points.
Wednesday, January 21 – 1600
Team Zeroshi targeting Phoenix Contact CHARX SEC-3150 in the Level 2 Electric Vehicle Chargers category with the Charging Connector Protocol/Signal Manipulation add-on for a total of $50,000 and 5 Master of Pwn points.
Wednesday, January 21 – 1700
Interrupt Labs (@InterruptLabs) targeting Kenwood DNR1007XR in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Donggeon Kim (@gbdngb12), Hoon Nam (@pwnstar96), Jaeho Jeong (@jeongZero), Sangsoo Jeong (@sangs00Jeong) and Wonyoung Jung (@nonetype_pwn) of 78ResearchLab targeting Alpine iLX-F511 in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Bongeun Koo (@kiddo_pwn) and Evangelos Daravigkas (@freddo_1337) of Team DDOS targeting Grizzl-E Smart 40A in the Level 2 Electric Vehicle Chargers category with the Charging Connector Protocol/Signal Manipulation add-on for a total of $50,000 and 5 Master of Pwn points.
Wednesday, January 21 – 1730
Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io targeting Sony XAV-9500ES in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Viettel Cyber Security (@vcslab) targeting ChargePoint Home Flex (Model CPH50-K) in the Level 2 Electric Vehicle Chargers category for a total of $40,000 and 4 Master of Pwn points.
Wednesday, January 21 – 1830
TienPP from FPT NightWolf targeting Kenwood DNR1007XR in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Dong hee Kim (@heehee_0219_) and Jong geon Kim (@kimjor22) targeting Alpine iLX-F511 in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Donggeon Kim (@gbdngb12), Hoon Nam (@pwnstar96), Jaeho Jeong (@jeongZero), Sangsoo Jeong (@sangs00Jeong) and Wonyoung Jung (@nonetype_pwn) of 78ResearchLab targeting Phoenix Contact CHARX SEC-3150 in the Level 2 Electric Vehicle Chargers category for a total of $40,000 and 4 Master of Pwn points.
Jonathan Conrad (@jwconrad.bsky.social) targeting Grizzl-E Smart 40A in the Level 2 Electric Vehicle Chargers category for a total of $40,000 and 4 Master of Pwn points.
Wednesday, January 21 – 1900
@ExLuck99 and @gr4ss341 of ANHTUD targeting Sony XAV-9500ES in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Bongeun Koo (@kiddo_pwn) and Evangelos Daravigkas (@freddo_1337) of Team DDOS targeting Kenwood DNR1007XR in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Inhyung Lee, Seokhun Lee, Chulhan Park, Wooseok Kim, and Yeonseok Jang from Team MAMMOTH targeting Alpine iLX-F511 in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Julien COHEN-SCALI from FuzzingLabs (@FuzzingLabs) targeting Phoenix Contact CHARX SEC-3150 in the Level 2 Electric Vehicle Chargers category for a total of $40,000 and 4 Master of Pwn points.
Hank Chen (@hank0438) of InnoEdge Labs targeting Alpitronic HYC50 - Lab Mode in the Level 3 Electric Vehicle Chargers category for a total of $40,000 and 4 Master of Pwn points.
Autocrypt (Hoyong Jin, Jaewoo Jeong, Chanhyeok Jung, Minsoo Son, and Kisang Choi) targeting Grizzl-E Smart 40A in the Level 2 Electric Vehicle Chargers category with the Charging Connector Protocol/Signal Manipulation add-on for a total of $50,000 and 5 Master of Pwn points.
Thursday, January 22 – 1130
Neodyme AG (@Neodyme) targeting Sony XAV-9500ES in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Thursday, January 22 – 1200
Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) targeting Kenwood DNR1007XR in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Nguyen Thanh Dat (@rewhiles) from Viettel Cyber Security (@vcslab) targeting Alpine iLX-F511 in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
BoredPentester (@BoredPentester) targeting Grizzl-E Smart 40A in the Level 2 Electric Vehicle Chargers category with the Charging Connector Protocol/Signal Manipulation add-on for a total of $50,000 and 5 Master of Pwn points.
Thursday, January 22 – 1230
Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io targeting Phoenix Contact CHARX SEC-3150 in the Level 2 Electric Vehicle Chargers category with the Charging Connector Attack and Charging Connector Protocol/Signal Manipulation add-on for a total of $70,000 and 7 Master of Pwn points.
Xilokar (xilokar@mamot.fr) targeting Alpitronic HYC50 - Lab Mode in the Level 3 Electric Vehicle Chargers category for a total of $40,000 and 4 Master of Pwn points.
Thursday, January 22 – 1300
PHP Hooligans / Midnight Blue (@midnightbluelab) targeting Autel MaxiCharger AC Elite Home 40A EV Charger in the Level 2 Electric Vehicle Chargers category with the Charging Connector Protocol/Signal Manipulation add-on for a total of $50,000 and 5 Master of Pwn points.
Thursday, January 22 – 1330
Donggeon Kim (@gbdngb12), Hoon Nam (@pwnstar96), Jaeho Jeong (@jeongZero), Sangsoo Jeong (@sangs00Jeong) and Wonyoung Jung (@nonetype_pwn) of 78ResearchLab targeting Kenwood DNR1007XR in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Kazuki Furukawa (@_N4NU_) of GMO Cybersecurity by Ierae targeting Alpine iLX-F511 in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Hyeongseok Lee (@fluorite_pwn), Yunje Shin (@YunjeShin), Chaeeul Hyun (@yskm_Gunter), Ingyu Yang (@Mafty5275), Hoseok Kang (@clay419), Seungyeon Park (@vvsy46), and Wonjun Choi (@won6_choi) of BoB::Takedown targeting Grizzl-E Smart 40A in the Level 2 Electric Vehicle Chargers category for a total of $40,000 and 4 Master of Pwn points.
Thursday, January 22 – 1430
Autocrypt (Hoyong Jin, Jaewoo Jeong, Chanhyeok Jung, Minsoo Son, and Kisang Choi) targeting Autel MaxiCharger AC Elite Home 40A EV Charger in the Level 2 Electric Vehicle Chargers category with the Charging Connector Protocol/Signal Manipulation add-on for a total of $50,000 and 5 Master of Pwn points.
Rob Blakely of Technical Debt Collectors targeting Automotive Grade Linux in the Operating System category for a total of $40,000 and 4 Master of Pwn points.
Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io targeting ChargePoint Home Flex (Model CPH50-K) in the Level 2 Electric Vehicle Chargers category with the Charging Connector Protocol/Signal Manipulation add-on for a total of $50,000 and 5 Master of Pwn points.
Thursday, January 22 – 1500
BoredPentester (@BoredPentester) targeting Kenwood DNR1007XR in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Slow Horses of Qrious Secure (@qriousec) targeting Alpine iLX-F511 in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Thursday, January 22 – 1600
Synacktiv (@synacktiv) targeting Autel MaxiCharger AC Elite Home 40A EV Charger in the Level 2 Electric Vehicle Chargers category with the Charging Connector Protocol/Signal Manipulation add-on for a total of $50,000 and 5 Master of Pwn points.
Bongeun Koo (@kiddo_pwn) and Evangelos Daravigkas (@freddo_1337) of Team DDOS targeting Phoenix Contact CHARX SEC-3150 in the Level 2 Electric Vehicle Chargers category with the Charging Connector Protocol/Signal Manipulation add-on for a total of $50,000 and 5 Master of Pwn points.
Thursday, January 22 – 1630
PetoWorks (@petoworks) targeting Alpine iLX-F511 in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) targeting ChargePoint Home Flex (Model CPH50-K) in the Level 2 Electric Vehicle Chargers category with the Charging Connector Protocol/Signal Manipulation add-on for a total of $50,000 and 5 Master of Pwn points.
Thursday, January 22 – 1700
Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io targeting Grizzl-E Smart 40A in the Level 2 Electric Vehicle Chargers category with the Charging Connector Protocol/Signal Manipulation add-on for a total of $50,000 and 5 Master of Pwn points.
Thursday, January 22 – 1800
PetoWorks (@petoworks) targeting Kenwood DNR1007XR in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Hyeongseok Lee (@fluorite_pwn), Yunje Shin (@YunjeShin), Chaeeul Hyun (@yskm_Gunter), Ingyu Yang (@Mafty5275), Hoseok Kang (@clay419), Seungyeon Park (@vvsy46), and Wonjun Choi (@won6_choi) of BoB::Takedown targeting Phoenix Contact CHARX SEC-3150 in the Level 2 Electric Vehicle Chargers category for a total of $40,000 and 4 Master of Pwn points.
Thursday, January 22 – 1830
Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) targeting Alpine iLX-F511 in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Hyeonjun Lee (@gul9ul), Younghun Kwon (@d0kk2bi), Hyeokjong Yun (@dig06161), Dohwan Kim (@neko__hat), Hanryeol Park (@hanR0724), Hyojin Lee (@meixploit), Jinyeong Yoon, and Youngmin Cho (@ZIEN0621) of ZIEN, Inc. targeting ChargePoint Home Flex (Model CPH50-K) in the Level 2 Electric Vehicle Chargers category for a total of $40,000 and 4 Master of Pwn points.
Evan Grant (@stargravy) targeting Grizzl-E Smart 40A in the Level 2 Electric Vehicle Chargers category with the Charging Connector Protocol/Signal Manipulation add-on for a total of $50,000 and 5 Master of Pwn points.
Team MST targeting Kenwood DNR1007XR in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Viettel Cyber Security (@vcslab) targeting Sony XAV-9500ES in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Tobias Scharnowski (@ScepticCtf), Felix Buchmann (@diff_fusion), and Kristian Covic (@SeTcbPrivilege) of Fuzzware.io targeting Alpine iLX-F511 in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Slow Horses of Qrious Secure (@qriousec) targeting Grizzl-E Smart 40A in the Level 2 Electric Vehicle Chargers category for a total of $40,000 and 4 Master of Pwn points.
Friday, January 23 – 1200
Slow Horses of Qrious Secure (@qriousec) targeting Kenwood DNR1007XR in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Bongeun Koo (@kiddo_pwn) and Evangelos Daravigkas (@freddo_1337) of Team DDOS targeting Alpine iLX-F511 in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
PetoWorks (@petoworks) targeting Grizzl-E Smart 40A in the Level 2 Electric Vehicle Chargers category with the Charging Connector Protocol/Signal Manipulation add-on for a total of $50,000 and 5 Master of Pwn points.
Friday, January 23 – 1300
Aapo Oksman, Elias Ikkelä-Koski and Mikael Kantola of Juurin Oy targeting the Alpitronic HYC50 - Lab Mode in the Level 3 Electric Vehicle Chargers category for a total of $40,000 and 4 Master of Pwn points.
Friday, January 23 – 1330
Nguyen Thanh Dat (@rewhiles) from Viettel Cyber Security (@vcslab) targeting Kenwood DNR1007XR in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Autocrypt (Hoyong Jin, Jaewoo Jeong, Chanhyeok Jung, Minsoo Son, Kisang Choi) targeting Alpine iLX-F511 in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Friday, January 23 – 1500
Elias Ikkelä-Koski and Aapo Oksman of Juurin Oy targeting Kenwood DNR1007XR in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
Ryo Kato (@Pwn4S0n1c) targeting the Autel MaxiCharger AC Elite Home 40A EV Charger in the Level 2 Electric Vehicle Chargers category for a total of $40,000 and 4 Master of Pwn points.
Nam Ha Bach and Vu Tien Hoa from FPT NightWolf Team targeting Alpine iLX-F511 in the In-Vehicle Infotainment (IVI) category for a total of $20,000 and 2 Master of Pwn points.
The Results
Follow the action live! We’ll be posting real-time updates and results throughout the competition on our blog and across social media. Stay up to date by following us on Twitter, Mastodon, LinkedIn, and Bluesky, and join the conversation using #Pwn2Own Automotive and #P2OAuto for continuous coverage.
I may be in Tokyo preparing for Pwn2Own Automotive, but that doesn’t stop patch Tuesday from coming. Put aside your broken New Year’s resolutions for just a moment as we review the latest security patches from Adobe and Microsoft. If you’d rather watch the full video recap covering the entire release, you can check it out here:
Adobe Patches for January 2026For January, Adobe released 11
I may be in Tokyo preparing for Pwn2Own Automotive, but that doesn’t stop patch Tuesday from coming. Put aside your broken New Year’s resolutions for just a moment as we review the latest security patches from Adobe and Microsoft. If you’d rather watch the full video recap covering the entire release, you can check it out here:
Adobe Patches for January 2026
For January, Adobe released 11 bulletins addressing 25 unique CVEs in Adobe Dreamweaver, InDesign, Illustrator, InCopy, Bridge, Substance 3D Modeler, Substance 3D Stager, Substance 3D Painter, Substance 3D Sampler, Substance 3D Designer, and ColdFusion. The patch for ColdFusion fixes a single code execution bug, but the update is listed as Priority 1. It isn’t publicly known or under active attack, though. The fix for Dreamweaver corrects five Critical-rated code execution bugs. The update for InDesign also has five CVEs, but only four are rated Critical. The Substance 3D Modeler patch contains six fixes total, but only two are for arbitrary code execution.
The patch for Substance 3D Stager fixes a single, Critical-rated code execution bug. That’s the same story for Substance 3D Painter, Adobe Bridge, and InCopy. The patch for Substance 3D Sampler is a bit odd. It states that it was released in August but updated today. The CVE is from 2026, so this may just be a clerical error. The patch for Substance 3D Designer fixes a single Important-severity memory leak. Finally, the fix for Illustrator includes one Critical-rated and one Important-severity bug.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Besides the fix for ColdFusion, all of the updates released by Adobe this month are listed as deployment priority 3.
Microsoft Patches for January 2026
Microsoft kicks off the new year with a bang, dropping 112 new CVEs in Windows and Windows components, Office and Office Components, Azure, Microsoft Edge (Chromium-based), SharePoint Server, SQL Server, SMB Server, and Windows Management Services.
One of these bugs came through the ZDI program. Of the patches released today, eight are rated Critical while the rest are rated Important in severity. Counting the third-party Chromium updates listed in the release, it brings to total number of CVEs to 114.
It’s not uncommon to see a large release in January. I suspect vendors hold off on certain updates through the holiday season to prevent disruptions should patches fail or cause application compatibility issues. This results in a large January release. Last year was Microsoft’s second busiest in terms of CVEs released. We’ll see if they top that in 2026.
Microsoft lists one bug under active attack, but two others as publicly known at the time of the release (although I think that number should be three). Let’s take a closer look at some of the more interesting updates for this month, starting with the bug under active attack:
- CVE-2026-20805 - Desktop Window Manager Information Disclosure Vulnerability It’s a bit unusual to see an information disclosure bug exploited in the wild, but that’s what we have here. This bug allows an attacker to leak a section address from a remote ALPC port. Presumably, threat actors would then use the address in the next stage of their exploit chain – probably gaining arbitrary code execution. This shows how memory leaks can be as important as code execution bugs since they make the RCEs reliable. As always, Microsoft offers no indication of how widespread these exploits may be, but considering the source, they are likely limited.
- CVE-2026-21265 - Secure Boot Certificate Expiration Security Feature Bypass Vulnerability While unlikely to be exploited, this bug could cause quite a bit of headaches for administrators. You will need to update the expiring certificates to continue receiving security updates or trusting new boot loaders. Again, the chances this CVE gets exploited are low. However, the chance this CVE gets ignored and devices using Secure Boot don’t receive patches is quite high. Also, this is listed as publicly known, but that just means Microsoft published information about this months ago.
- CVE-2026-20952/202953 - Microsoft Office Remote Code Execution Vulnerability Another month with Preview Pane exploit vectors in an Office bug. While we are still unaware of any exploitation of these bugs, they keep adding up. It’s only a matter of time until threat actors find a way to use these types of bugs in their exploits. If you are concerned about these, you can take the extra precaution of disabling the Preview Pane, which at least prevents exploitation without user interaction.
- CVE-2026-20876 – Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability VBS is a newer security feature in Windows, and Virtual Trust Levels (VTL) serve as different privilege levels. VTL2 is currently the highest privileged level, and this bug allows attackers to escalate to VTL2. Microsoft doesn’t say if you need to be at VTL0 or VTL1 to exploit this bug. As far as I can recall, this is the first VTL escalation bug patched within VBS. Microsoft lists this as CVSS 6.7, but I believe this is a scope change since you’re traversing VTL levels. Taking that into consideration makes the CVSS score 8.2 (High).
Here’s the full list of CVEs released by Microsoft for January 2026:
Chromium: CVE-2026-0628 Insufficient policy
enforcement in WebView tag
High
N/A
No
No
SFB
* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.
† Indicates further administrative actions are required to fully address the vulnerability.
Moving on to the other Critical-rated bugs in this month’s release, there are a couple of odd Excel vulns receiving patches. Initially, I though the Preview Pane would be involved, but it isn’t. In fact, it’s not clear what makes these Critical at all. That’s not true for the Word bug, where the Preview Pane is an attack vector. The bug in LSASS allows for code execution over a network, but you need to be authenticated. The final Critical bug is a privilege escalation involving GPU paravirtualization and could lead to local users executing code as SYSTEM. For some reason, I feel like we have just scratched the surface with GPU-related bugs.
Taking a look at the other code execution vulnerabilities in this month’s release, there’s the standard open-and-own bugs in Word and Excel. The SharePoint bugs require authentication, but almost every authenticated user will have the needed permissions. There is an interesting SharePoint bug reported by former ZDI analyst Piotr Bazydło. This one doesn’t require authentication but does require user interaction such as importing a malicious WSDL or opening a file. The bug in WSUS looks frightening, but it requires a machine-in-the-middle (MiTM) to exploit the issue. The two bugs in NTFS require authentication. The vuln in Azure Core requires an attacker to change a valid token to be malicious, which requires “developer-type authentication” – whatever that means.
The final code execution bug for January requires extra steps for remediation. Microsoft is removing the hands-free deployment feature of Windows Deployment Services. This means you will need to audit your enterprise to find systems configured with hands-free deployments. From there, you’ll need to opt if for protection in the immediate future. You’ll also need to have a plan to migrate these systems to something other than hands free prior to Microsoft removing the feature in mid-2026.
Elevation of Privilege (EoP) bugs make up the vast majority of this release, but most simply lead to local attackers executing their code at SYSTEM-level privileges or administrative privileges. There are also quite a few bugs that allow attackers to move from Low to Medium integrity to escape AppContainer isolation. These bugs are mostly in the Windows Management Services. There is one bug that leads to “Kernel Memory Access” – whatever that means. There’s another bug that leads to change VTL levels, but this one only gets you VTL1 access. The bug in the Windows Admin Center (WAC) is interesting as it could allow attackers to gain local admin privileges on targeted WAC-managed machines within a tenant. This gives the attacker the ability to interact with other tenant’s applications and content. The bug in WalletService only leads to the privileges of the compromised user. That’s the same for the File Explorer bug. The bug in SQL Server allows an attacker to gain debugging privileges, including the ability to dump memory. As always, SQL admins will need to take extra steps for full remediation of this issue. The final EoP is actually from 2024. Microsoft doesn’t list this as public, but I do. There have already been press articles describing this vulnerability. The bug is in the Motorola Soft Modem drivers, which ship be default on supported Windows OS systems. It’s a deprecated piece of gear, so rather than fix the driver, Microsoft is simply removing the driver completely.
There are a couple of additional security feature bypass bugs to discuss. The first is in Excel, and it could allow attackers to bypass macro protections. It also requires some user interaction, so it’s not just an open-and-own bug. The bug in Remote Assistance allows attacker to evade Mark of the Web (MotW) protections.
There are quite a few information disclosure bug receiving fixes this month. Many only result in info leaks consisting of unspecified memory contents or memory addresses, but there are multiple exceptions. The bug in CamSvc discloses the ever popular “sensitive information”. Another CamSvc bug discloses the memory of the Capability Access Manager service. There are a couple of bugs that allow someone in VTL0 to view VTL1 data – again, a first as far as I know. Windows File Explorer has a few bugs that could disclose an address outside of a sandbox. That would certainly be useful for sandbox escapes. The bug in Kerberos doesn’t sound all that exciting, but it requires additional steps after installing the patch. The bug in TPM allows attacker to disclose “secrets or privileged information belonging to the user of the affected application.” The vulnerability in the Dynamic Root of Trust for Measurement (DRTM) component discloses cryptographic secrets. The Hyper-V bug is fascinating as it allows attackers to disclose data from a Guest VM to Hyper-V host server, bypassing the virtualization security boundary. Finally, the SharePoint info disclosure is interesting as it allows the exposure of data returned from outbound requests SharePoint makes on the attacker’s behalf. It’s like the attacker can use an affected system to perform reconnaissance on their behalf.
The January release contains five fixes for spoofing bugs, although some of the descriptions about the bugs themselves are quite obtuse. We can say the bug in SharePoint is a cross-site scripting (XSS) bug. Two of the bugs simply state that they allow spoofing over a network. The bugs in NTLM Hash Disclosure are least list the fact that user interaction is required.
Speaking of unclear descriptions, there are three bugs with the ever-ineffable Tampering impact. Two are in Windows Hello and allow “an unauthorized attacker to perform tampering locally.” That likely means they can abuse the Hello component to bypass it, but that’s not clearly stated. Similarly, the LDAP bug just states it could allow tampering over a network.
Finally, there are two denial-of-service bugs in SMB and LSASS. However, Microsoft provides no real information about these bugs, just that an attacker could use them to deny service over a network. At least they note the SMB bug requires authentication.
No new advisories are being released this month.
Looking Ahead
Assuming I survive Pwn2Own automotive and haven’t transformed into a giant piece of sushi, I’ll be back for the February release on the 10th. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
As we ramp up to the premier automotive and charging station hacking competition, Pwn2Own Automotive 2026 in Tokyo, the Trend Micro Zero Day Initiative (ZDI) is providing a preliminary look at one of the main targets: the Alpitronic HYC50 High-Power Charger.The HYC50 series represents the leading edge of fast-charging infrastructure, blending complex high-voltage power electronics with a robust, networked digital control system. For Pwn2Own contestants, the digital attack surface is often the mo
As we ramp up to the premier automotive and charging station hacking competition, Pwn2Own Automotive 2026 in Tokyo, the Trend Micro Zero Day Initiative (ZDI) is providing a preliminary look at one of the main targets: the Alpitronic HYC50 High-Power Charger.
The HYC50 series represents the leading edge of fast-charging infrastructure, blending complex high-voltage power electronics with a robust, networked digital control system. For Pwn2Own contestants, the digital attack surface is often the most accessible path to a top-tier bounty. This post serves as a hardware identification primer, guiding researchers through the core components that make up the device's control and low-voltage sections.
This is strictly a hardware reconnaissance report. We encourage all participants to begin their deep-dive analysis ahead of the contest.
Section 1: The Development Hardware Enclosure
Participants in Pwn2Own Automotive 2026 will be provided with a modified hardware setup to simplify the research process. This setup isolates the low-voltage control and digital boards from the high-voltage power stack, allowing for safer and more focused analysis.
The following image shows the custom enclosure housing the core digital and communication components extracted from the larger HYC50 unit.
The low-voltage control and digital stack mounted in the custom development case. Note the external power inputs and clearly labeled network ports for easy connectivity.
This case contains the primary application processor, communication interfaces (Ethernet, CAN), and critical memory components that govern the charger's operation, payment, and network connectivity. Additionally, you will find the touchscreen and NFC interfaces readily accessible on the front of the case.
Section 2: Core Digital Control Board (DCB)
The central brain of the Alpitronic HYC50 is the main digital control board. This PCB is responsible for managing the charger's state machine, handling OCPP (Open Charge Point Protocol) communication, managing user authentication, and orchestrating the power modules. The main application processor and its memoires reside on a customized System On a Module (SOM) that attaches to the main board via a 200 pin SO-DIMM header. We’ll discuss the SOM specifically in the next section.
Top of the main Digital Control Board (DCB)
Bottom of the main Digital Control Board (DCB)
The DCB features several key components of interest to security researchers:
Component
Functionality
and additional information
Power Line Communication Controller (PLC)
Two
PLC units provide communication to the vehicle.The RED Beet E 1.1 devices are utilized for
this purpose.These are alternately
known as SECC (Supply Equipment Communication
Controllers).
Ethernet Interfaces
Two
RJ45 Ethernet interfaces reside on the board.As these are located near a maintenance access hatch on the enclosure,
the interfaces are intended to be used by installers and technicians to
access the management interface of the charger.
Local MPU
An
STM32G0B1 is utilized on the DCB, likely for real time control of the
charging process. Note the possible JTAG header footprint nearby in the
pictures below.
SOM
The
main processor subsystem is located on a 208 pin SO-DIMM that can be plugged
into the DCB.
Connectors Near SOM
The
high-density connectors near the SOM interface the other boards of the
system.This includes the touch screen
LCD and the SIM card communications board.
SOM Console Header
There
is a 4-pin unpopulated header on the DCB near the SOM socket.Silkscreen reads “CON_SOM_UART”, suggesting
a console port.Its operational status
is unknown.
Close-up of the PLC controller
Ethernet interfaces for accessing the management interface
The SOM residing on the DCB along with the LCD and COMM board interfaces. Note the 4-pin header marked “CON_SOM_UART” in the upper left corner of the picture.
The local MPU (STM32G0B1) and possible test ports (missing conformal coating)
Section 3: SOM
The main processing components of the charger reside on a 208-pin module that is plugged into the DCB. The module is custom, however it is heavily based on the VAR-SOM-6UL design produced by Variscite. It is a variant that contains an eMMC device but appears to be lacking the Wi-Fi devices that a standard VAR-SOM-6UL is advertised with. That’s not surprising because the radio functions of the charger are handled by a separate board. Thus, it is very possible that this “custom” SOM is simply a cost-reduced version with some unneeded parts de-populated from the off-the-shelf version.
Top and Bottom views of the SOM (System On a Module)
The custom SOM features several key components of interest to security researchers:
Component
Functionality
and additional information
Main SoC/CPU
The
primary processor, an i.MX6 (MCIMX6G2AVM07 AB). This runs the operating
system (likely embedded Linux or a RTOS) and the core application code.
DRAM/RAM
Soldered
DDR memory adjacent to the
i.MX6 on the top side.Part number
reads K4B4G1646E-BMMA, which translates to a 512MB DDR3L device.
Flash Memory
A
surface-mounted eMMC Flash
chip sits on the back side of the SOM. Part number reads SDINBDG4-8G-XI1 and
is thus an 8GB device.
Main top side components. i.MX6 and DDR memory
Main bottom side component. SanDisk eMMC memory
Section 4: Communication Board (COMM)
The HYC50 relies on several interfaces for communication, and much of that capability is housed on the COMM board attached to the door of the enclosure. This board is connected to the DCB through the single large connector. There appear to be two 4G LTE radios and they share the same antenna. Two SIM card slots exist, possibly to support those radios. There’s a third radio module that’s likely providing the Wi-Fi and Bluetooth functions on its separate antenna. Thereis also a USB port, but it is not accessible from the outside of the enclosure. Finally, this board appears to interface to the screen’s touch function while the display appears to fed by the DCB directly. In addition to the board pictures, a picture of its arrangement in the charger’s enclosure will be included for clarity.
Top side of the communication board (COMM) showing two 4G LTE controllers
Bottom side of the COMM board
HYC50 enclosure door layout
The COMM board features several key components of interest to security researchers:
Component
Functionality
and additional information
4G LTE Radios
Two
QUECTEL EG915U-EU sharing an antenna.There are two SIM card slots as well.
Wi-Fi/BT Radio
Likely
an ESP32-WROOM or ESP32-WROVER, based on the QR code shown and its package
and pin count.
NFC board Interface
NFC
board interfaces to the COMM board
USB Port
A
type A USB port on the board. Not exposed outside the enclosure. Function
unknown.
The 4G LTE module (lower left) and the Wi-Fi/BT module (upper right)
Section 5: Additional Observations
1) The HYC50 is a mature product with documentation available online. Do not neglect to search for documents that might assist your effort. Installation and operational manuals exist in various locations.
2) If you are one of the few who were approved to receive a development case for research, please be aware that these are custom, hand-built, experimental devices. Before powering up, look/listen for any fasteners that may have come loose during shipping. Correct those before applying power to the unit to avoid damage.
Conclusion
The Alpitronic HYC50 offers a rich and complex target for Pwn2Own researchers. This preliminary look identifies the core digital components, memory, and — crucially — the physical debug and manufacturing interfaces that may be leveraged for the contest.
We look forward to seeing the innovative research that will be brought to bear on the HYC50 at Pwn2Own Automotive 2026. Happy hunting, and may the bounty be ever in your favor!
In our previous Kenwood DNR1007XR blog, we detailed the internals of the Kenwood in-vehicle infotainment (IVI) head unit and provided annotated pictures of the main PCB. In this post, we aim to outline the attack surface of the DNR1007XR in the hopes of providing inspiration for vulnerability research.We will cover the main supported technologies that present potential attack surfaces, such as USB, Bluetooth, Android Auto, Apple CarPlay, Kenwood apps, and more.All information has been obtained t
In our previous Kenwood DNR1007XR blog, we detailed the internals of the Kenwood in-vehicle infotainment (IVI) head unit and provided annotated pictures of the main PCB. In this post, we aim to outline the attack surface of the DNR1007XR in the hopes of providing inspiration for vulnerability research.
We will cover the main supported technologies that present potential attack surfaces, such as USB, Bluetooth, Android Auto, Apple CarPlay, Kenwood apps, and more.
All information has been obtained through reverse engineering, experimenting, and combing through the following resources:
The DNR1007XR is equipped with a single USB-A port that operates at USB 2.0 speeds, providing the necessary interface for wired Android Auto and Apple CarPlay.
The USB port also supports playback of audio files from a USB flash drive. The supported audio filetypes and their associated extensions are:
Robustly parsing and decoding these file formats is notoriously complicated and error-prone, which makes for a potentially rewarding attack surface.
USB flash drives must be formatted as either FAT16, FAT32, exFAT, or NTFS for the head unit to be able to read them.
SD Card
A full-sized SD card slot is tucked away behind the screen and is used for audio/video playback as well as updating map data. As previously mentioned, a large attack surface is exposed when parsing audio and video files. Map updates are likely a good research target, too.
SD cards must be formatted as either FAT16, FAT32, exFAT, or NTFS for the head unit to be able to read them.
Bluetooth
Bluetooth version 5 is supported by the head unit and is used for making and receiving phone calls, as well as playing audio from a paired mobile phone. The following Bluetooth profiles are officially documented in the user manual:
· Hands Free Profile v1.7 · Serial Port Profile · Phonebook Access Profile · Audio/Video Remote Control Profile (AVRCP) v1.6 · Advanced Audio Distribution Profile (A2DP) o Supporting codecs: SBC, AAC, or LDAC
Android Auto, Apple CarPlay, and the Kenwood apps also utilise Bluetooth in varying capacities.
Interrogating the unit shows a few more Bluetooth services that are not documented; these could be a great area to research. Judging by the service names, they may all be related to Kenwood apps.
Service Name: App0
Service RecHandle: 0x10003
Service Class ID List:
UUID 128: 00001101-0000-1000-8000-00805f9b34fb
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 2
Service Name: App1
Service RecHandle: 0x10004
Service Class ID List:
UUID 128: 00000000-deca-fade-deca-deafdecacaff
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 3
Service Name: App2
Service RecHandle: 0x10005
Service Class ID List:
UUID 128: 4de17a00-52cb-11e6-bdf4-0800200c9a66
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 4
Service Name: App3
Service RecHandle: 0x10006
Service Class ID List:
UUID 128: 4de17a00-52cb-11e6-bdf4-0800200c9a66
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 5
Service Name: App4
Service RecHandle: 0x10007
Service Class ID List:
UUID 128: 4de17a00-52cb-11e6-bdf4-0800200c9a66
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 6
Service Name: App5
Service RecHandle: 0x10008
Service Class ID List:
UUID 128: 4de17a00-52cb-11e6-bdf4-0800200c9a66
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 7
Wi-Fi
The head unit provides a WiFi access point that is primarily used for wireless Android Auto and Apple CarPlay. There is no intention for the end user to directly connect to this network and there is no officially documented way of acquiring the password. However, internal research has discovered multiple methods to obtain the password.
Once connected to the access point, the following ports are open:
TCP 22 is an SSH server and can be logged into. As per the competition rules, "If the entry leverages hardcoded credentials and/or exposed encryption keys, the entry must leverage an additional vulnerability to gain code execution to be in scope."
TCP 7000, 8086, and 8888 are all running non-standard services and are likely great places to research further.
Android Auto and Apple CarPlay
Both wired and wireless Android Auto and Apple CarPlay are supported without the need for a 3rd party app to be installed on the paired mobile phone. When using the wireless versions, the paired phone connects to the aforementioned secured WiFi network to establish a high-bandwidth channel for data to be sent and received.
When connecting using a USB cable, the WiFi network isn't used by Android Auto or Apple CarPlay, but it is still active.
Kenwood
Kenwood offers 2 Android/iOS apps to interface with the DNR1007XR. The first app is the Kenwood Portal App, which allows users to transfer photos from a mobile phone to the head unit over Bluetooth. The transferred photos can then be viewed as a slideshow on the head unit or be used as the wallpaper.
This presents an interesting attack surface, especially if the DNR1007XR itself performs any complex image handling tasks on the received images, such as resizing or converting between different image formats. The user-supplied images also need to be persisted to the head unit's filesystem, further expanding the attack surface.
The second app is the Kenwood Remote S app, which connects to the head unit over Bluetooth and allows for multimedia control such as selecting a radio station, skipping a track, and more. The Bluetooth Audio/Video Remote Control Profile (AVRCP) is designed for this exact task; however, no research was performed to confirm if the Remote S app takes advantage of AVRCP.
There are a few other Kenwood apps available, but they are not listed as supported on the DNR1007XR product page and therefore have not been explored.
Open Source Software
A list of open source licences can be viewed from the head unit by navigating to Settings -> System -> Open Source Licenses. There's no guarantee these open source projects are actually used by the unit.
Summary
We hope that this blog post has provided enough information about the DNR1007XR threat landscape to guide vulnerability research. Not every attack surface has been mentioned, and we encourage researchers to investigate further.
We are looking forward to Automotive Pwn2Own again in Tokyo in January 2026 at Automotive World, and we will see if IVI vendors have improved their product security. Don’t wait until the last minute to ask questions and register! We hope to see you there.
For the upcoming Pwn2Own Automotive contest, a total of 3 head units have been selected. One of these is the double DIN Kenwood DNR1007XR that offers a variety of functionality such as Android Auto, Apple CarPlay, USB media playback, wireless mirroring and more. This blog post presents photos of the DNR1007XR including highlighting interesting internal components. A hidden debugging interface is also detailed which can be leveraged to obtain a shell.
For the upcoming Pwn2Own Automotive contest, a total of 3 head units have been selected. One of these is the double DIN Kenwood DNR1007XR that offers a variety of functionality such as Android Auto, Apple CarPlay, USB media playback, wireless mirroring and more.
This blog post presents photos of the DNR1007XR including highlighting interesting internal components. A hidden debugging interface is also detailed which can be leveraged to obtain a shell.
Figure 1: Kenwood DNR1007XR
External
Tucked away behind the screen is a full-sized SD card slot that can be accessed by tilting the screen downwards. The SD card is used to play audio/video files as well as updating map data. This seems like an attack surface worth researching.
Figure 2: SD card slot
There's also a single USB port routed from the back of the unit that is used for:
· Wired Android Auto · Wired Apple CarPlay · Audio playback · Video playback
Internal
Moving on to the internals, the DNR1007XR comprises multiple interconnected boards, with the most interesting board being located at the top of the unit. Removing a few screws and metal plates gives access to this board, which contains the main processor, eMMC, flash, and a Bluetooth / WiFi radio module.
Figure 3: Main board
Towards the center is the main Dolphin+ TCC8034 System on a Chip (SoC), which is marketed as an “IVI and Cluster solution” that supports running Android, Linux, and QNX. The SoC contains two 32-bit ARM cores and is running Linux. Last year's Kenwood target utilized a similar TCC8974 SoC; more information can be found here.
Figure 4: Dolphin+ TCC8034 SoC
Further to the right is a Kioxia THGBMJG7C2LBAU8 16GB eMMC chip which contains the main device firmware.
Figure 5: Kioxia eMMC
Below the eMMC chip and to the left is a Winbond 25Q256JVFM 256Mb serial flash chip that contains unknown data.
Figure 6: Winbond flash
Finally, to the left of the SoC is a Murata radio that handles Wi-Fi and Bluetooth operations. Searching around for the exact model number that's etched onto the radio's shielding doesn't return much information but the FCC documents for the DNR1007XR state that this is the Murata LBEE6ZZ1WD-334. This module has no public datasheet available and isn't listed on Murata's site.
Figure 7: Murata radio
Debug Connector
On the right edge of the main board is a suspicious-looking connector that lines up with a thin gap in the outer housing. This connector exposes a Linux login prompt over UART at 115200bps. Logging in with the correct credentials will spawn a shell.
Figure 8: Debug connector
Summary
Hopefully, this blog post provides enough information to kickstart vulnerability research against the DNR1007XR. Keep an eye out for another blog coming this Friday that covers the threat landscape of the DNR1007XR.
We are looking forward to Automotive Pwn2Own again in January 2026, and we will see if IVI vendors have improved their product security. We hope to see you there.
Until then, you can find me on Twitter @ByteInsight, and follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.
It’s the final patch Tuesday of 2025, but that doesn’t make it any less exciting. Put aside your holiday planning for just a moment as we review the latest security offering from Adobe and Microsoft. If you’d rather watch the full video recap covering the entire release, you can check it out here:
Adobe Patches for December 2025For December, Adobe released five bulletins addressing 139 u
It’s the final patch Tuesday of 2025, but that doesn’t make it any less exciting. Put aside your holiday planning for just a moment as we review the latest security offering from Adobe and Microsoft. If you’d rather watch the full video recap covering the entire release, you can check it out here:
Adobe Patches for December 2025
For December, Adobe released five bulletins addressing 139 unique CVEs in Adobe Reader, ColdFusion, Experience Manager, Creative Cloud Desktop, and the Adobe DNG Software Development Kit (SDK). Don’t panic at that large of a CVE count. Most of those are simple cross-site scripting (XSS) bugs in Adobe Experience Manager. There are a few Critical-rated DOM-based XSS bugs in the mix, so don’t ignore this patch by any means – just don’t panic at the large number of CVEs. I wouldn’t panic over the update for ColdFusion either, but Adobe does set the deployment priority for this fix as 1. They note there are no known active attacks for the CVEs, but there are several arbitrary code execution bugs being fixed. Also, if you’re running ColdFusion, make sure you check out one of their lockdown guides. The one for ColdFusion 2025 can be found here.
The update for Adobe Reader is smaller than expected, with only two of the four CVEs addressed leading to code execution. Not that I’m complaining – I just expected more. The patch for the Adobe DNG Software Development Kit also fixes four CVEs, with one of those leading to code execution. Finally, the update for Creative Cloud Desktop fixes a single Important-rated bug.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Besides the fix for ColdFusion, all of the updates released by Adobe this month are listed as deployment priority 3.
Microsoft Patches for December 2025
Microsoft ends the year by releasing a paltry 56 new CVEs in Windows and Windows components, Office and Office Components, Microsoft Edge (Chromium-based), Exchange Server, Azure, Copilot, PowerShell, and Windows Defender. One of these bugs came through the ZDI program. Of the patches released today, three are rated Critical while the rest are rated Important in severity. Counting the third-party Chromium updates listed in the release, it brings to total number of CVEs to 70.
Counting the CVEs released today, that being Microsoft’s total count to 1,139 CVEs patched in 2025. Again, this is not counting the numerous updates for Azure Linux and CBL Mariner released earlier this month as these should be considered Linux CVEs being applied to Azure properties. That makes 2025 the second-largest year in volume, trailing 2020 by a mere 111 CVEs. AS Microsoft’s portfolio continues to increase and as AI bugs become more prevalent, this number is likely to go higher in 2026.
Microsoft lists one bug under active attack, but two others as publicly known at the time of the release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug under active attack:
- CVE-2025-62221 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability This is the only bug listed as under active attack for this month, and – at least on the surface – looks similar to a bug patched in October. However, the bug back in October was a race condition where this is a Use After Free (UAF). It allows an attacker to perform a privilege escalation on an affected system. These types of bugs are often combined with a code execution bug to take over a system. It appears to affect every supported version of Windows, so if you must prioritize, this should be on the top of your list.
- CVE-2025-62554/62557 - Microsoft Office Remote Code Execution Vulnerability Here we are again, looking at two Office bugs where the Preview Pane is an attack vector. For those counting (like me), that makes 11 months in a row with a Critical-rated Office bug, including the Preview Pane as an attack vector. If you’re a Mac user, you are out of luck, as updates for Office LTSC for Mac 2021 and 2024 are not available. Let’s hope Microsoft gets those out before exploitation begins.
- CVE-2025-62562 - Microsoft Outlook Remote Code Execution Vulnerability At first glance, I thought this was another Preview Pane issue, but it isn’t. In fact, this is only rated Critical for SharePoint Enterprise Server 2016 – it’s rated Important for everything else. However, the CVSS is the same (7.8) for all affected platforms. For this bug, the attacker would need to convince a user to reply to a specially crafted email. It’s not clear why this is worse on SharePoint 2016, but if you are running this version in your enterprise, don’t skip this update.
- CVE-2025-64671 - GitHub Copilot for Jetbrains Remote Code Execution Vulnerability This is the bug listed as publicly known, and it’s a command injection bug in Copilot that allows an unauthorized user to execute their code on an affected system. It’s listed as local, but it’s likely that a remote attacker could socially engineer someone to trigger the command injection. By exploiting a malicious cross-prompt injection in untrusted files or Model Context Protocol (MCP) servers, an attacker could piggyback extra commands onto those permitted by the user’s terminal auto-approve settings, causing them to be executed without further confirmation. I expect we’ll see many more bugs like these in 2026.
Here’s the full list of CVEs released by Microsoft for December 2025:
Chromium: CVE-2025-13640 Inappropriate
implementation in Passwords
Low
N/A
No
No
Info
* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.
† Indicates further administrative actions are required to fully address the vulnerability.
Since we’ve already covered all of the Critical-rated CVEs, let’s move straight into looking at the other code execution bugs patched in the December release. As expected, most are Office-related open-and-own bugs where the Preview Pane is not an attack vector. There’s also the now ubiquitous bug in the RRaS service. There’s a bug in the Windows Resilient File System (ReFS) resulting from a heap overflow that could be reached over the network, but authentication is required. That’s similar to the bug in Azure Monitor. According to Microsoft, “An attacker with local network access to an Azure Linux Virtual Machine running Azure Monitor could exploit a heap overflow to escalate privileges to the syslog user, enabling execution of arbitrary commands.” The fix for the PowerShell bug is the other publicly known vulnerability this month and will require more than just a patch. The bug itself is a simple command injection, but after applying the update, when you use the Invoke-WebRequest command, you’ll receive a security warning message. You’ll also likely need to reboot after installing the patch, so make sure you complete that to fully address the vulnerability.
Moving on to the privilege escalation bugs receiving patches this month, most simply lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code. The bug in Windows Shell could lead to elevating levels of code execution integrity – moving from Low to Medium integrity to escape AppContainer isolation. The vulnerability in RRAS requires an authenticated and domain-joined user, but it could allow an attacker to execute code on a target system. There’s an odd bug in the Brokering File System that’s listed as Elevation of Privilege, but it reads as a Denial of Service (DoS). A standard user could crash a system through a UAF. That sure does sound like a local DoS to me. Finally, there’s a bug in Exchange server that was reported by the National Security Agency (NSA). Microsoft says exploitation is unlikely, but NSA. It does seem like a fair amount of preparation is needed to exploit this bug, but NSA. Also, updates for Exchange Server 2016 and 2019 are not available as they are out of support. If you’re still using those you need to upgrade to the Extended Security Update (ESU) program.
Speaking of Exchange, there’s also a spoofing bug in the server that allows attackers to spoof the “From” email address displayed to the user. This bug was not reported by the NSA, but still, the UI misrepresentation could be used by attackers to spoof critical information. Kudos to Microsoft for deciding to fix the issue. The other spoofing bug corrected this month is in SharePoint and manifests as a cross-site scripting (XSS) bug.
There are only four information disclosure bugs getting patched this month, and fortunately, all of these bugs only result in info leaks consisting of unspecified memory contents or memory addresses. The bug in Windows Defender also requires the attacker to be a part of a specific user group.
The December release contains fixes for three Denial-of-Service (DoS) bugs, and their descriptions mirror what we saw in the November release. While they all state that an attacker could deny service over a network (or locally) to that component, the two DirectX Graphics Kernel bugs state they could be used by a low-privilege Hyper-V guest to cause a DoS on the Hyper-V environment. It’s not clear how this would occur, but it if you’re running Hyper-V, don’t overlook these patches.
No new advisories are being released this month.
Looking Ahead
We start the patch process again in 2026 on January 13, and I’ll be back then with my analysis and thoughts about the release. Until then, merry christmahanakwanzika, stay safe, happy patching, and may all your reboots be smooth and clean!
I’ve made it through Pwn2Own Ireland, and while many are celebrated those who served their country in the armed services, patch Tuesday stops for no one. So affix your poppy accordingly, and let’s take a look at the latest security offerings from Adobe and Microsoft. If you’d rather watch the full video recap covering the entire release, you can check it out here:
Adobe Patches for Novem
I’ve made it through Pwn2Own Ireland, and while many are celebrated those who served their country in the armed services, patch Tuesday stops for no one. So affix your poppy accordingly, and let’s take a look at the latest security offerings from Adobe and Microsoft. If you’d rather watch the full video recap covering the entire release, you can check it out here:
Adobe Patches for November 2025
For November, Adobe released eight bulletins addressing 29 unique CVEs in Adobe InDesign, InCopy, Photoshop, Illustrator, Illustrator Mobile, Substance 3D Stager, Format Plugins, and Adobe Pass. Nine of these CVEs were reported by Trend ZDI researcher Michel DePlante. He discovered the bugs fixed by the patch for Adobe Format Plugins. If you must prioritize, the update for InDesign fixes four Critical-rated bugs. All could lead to arbitrary code execution. The fix for Illustrator for iPad also fixes five Critical-rated code execution bugs. However, the update for Illustrator only has two code execution CVEs. It’s interesting to see the difference between the mobile and desktop versions. The patch for Photoshop addresses a single code execution bug. There are four Critical-rated code execution bugs fixed by the Substance 3D Stager update. The patch for InCopy corrects three code execution bugs. The final patch from Adobe this month fixes a privilege escalation bug in Adobe Pass.
Overall, this month’s Adobe release is (thankfully) not that exciting. None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. All of the updates released by Adobe this month are listed as deployment priority 3.
Microsoft Patches for November 2025
This month, Microsoft took pity on patch managers around the world and released a mere 63 CVEs Windows and Windows Components, Office and Office Components, Microsoft Edge (Chromium-based), Azure Monitor Agent, Dynamics 365, Hyper-V, SQL Server, and the Windows Subsystem for Linux GUI. Of the patches released today, four are rated Critical and 59 are rated Important in severity. One of these CVEs came through the Trend ZDI program. Counting the third-party Chromium updates listed in the release, it brings to total number of CVEs to 68.
This release is a far cry from the 177 CVEs we saw last month, although I don’t think anyone will complain. That brings the total CVEs addressed by Microsoft so far this year to 1,084. This is not counting the numerous updates for Azure Linux and CBL Mariner released earlier this month, as these should be considered Linux CVEs being applied to Azure properties. This drop could also be due to the fact that this is the first month where Windows 10 is not receiving updates. We will see what December brings and how close we end up to the record total of CVEs set back in 2020.
Microsoft lists one bug under active attack, but none are publicly known at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug under active attack:
- CVE-2025-62215 - Windows Kernel Elevation of Privilege Vulnerability This is the bug currently under exploit, but Microsoft offers no indication of the extent of the exploitation. It’s also interesting to note there’s a race condition here, and it shows that some race conditions are more reliable than others. Bugs like these are often paired with a code execution bug by malware to completely take over a system. If you must prioritize, this should be at the top of your list.
- CVE-2025-62199 - Microsoft Office Remote Code Execution Vulnerability Another month – another Office bug where the Preview Pane is an attack vector. Interestingly, Microsoft notes user interaction is required despite the Preview Pane, so it’s not clear how this would be exploited. Maybe if a user previews an attachment? Still, at this point, it’s time to consider disabling the Preview Pane in Office until Microsoft clears these bugs up.
- CVE-2025-60709 - Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability While this bug is not under active attack and simply leads to executing code as SYSTEM, I highlight this bug as CLFS has been exploited multiple times over the last few years. I will admit that I may have some recency bias with this as I just saw a presentation at the Countermeasure conference in Ottawa discussing CLFS exploitation. Still, the presentation showed how CLFS has been recently abused by threat actors.
- CVE-2025-62222 - Agentic AI and Visual Studio Code Remote Code Execution Vulnerability While there have been a few bugs impacting CoPilot, this is the first bug specifically calling out Agentic AI with a code execution bug. Based on the description, exploitation of this vulnerability would not be trivial. However, with a little bit of social engineering, it could allow remote attackers to execute their code on a target GitHub repository. There are several bugs impacting CoPilot receiving patches this month, but this one stands out above the others. If you’re using Agentic AI, pay attention here, or you could find yourself dealing with something more than just AI hallucinations.
Here’s the full list of CVEs released by Microsoft for November 2025:
Chromium: CVE-2025-12729 Inappropriate
implementation in Omnibox
Medium
N/A
No
No
RCE
* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.
† Indicates further administrative actions are required to fully address the vulnerability.
Looking at the remaining Critical patches, the update for Nuance PowerScribe 360 stands out not for impact, but for servicing. To update to a non-affected version, you will need to either contact your Customer Success Manager (CSM) or Technical Support for the latest version. So much for “just patch”. There’s an elevation of privilege (EoP) in DirectX that could lead to SYSTEM privileges, but there’s no indication why this one is Critical while an identical one is Important. The final Critical patch for November addresses a command injection in Visual Studio. The only interesting thing here is that exploitation would require prompt injection, CoPilot Agent interaction, and triggering a build. That’s far from trivial, but I would love to see what sort of CoPilot interaction is required.
Moving on to the remaining code execution bugs, there are a half-dozen open-and-own in various Office components. In these cases, the Preview Pane is not an attack vector. The bug in Azure Monitor Agent sounds more severe than its Important rating. An unauthenticated attacker could execute their code on affected systems without user interaction. While it doesn’t fall into the realm of wormable, it definitely lands in the world of yikes. The bug in GDI+ also garners a yikes from me as it gets the highest CVSS rating this month at 9.8. An attacker could get code execution over the network without user interaction. GDI+ bugs typically involve viewing an image, but this bug could impact web services that “are parsing documents that contain a specially crafted metafile, without the involvement of a victim user.” The SharePoint bug is another deserialization bug – similar to the one we saw exploited in-the-wild back in July. This requires authentication, but in previous attacks, this type of bug was paired with an auth bypass to exploit affected systems. The bug in the Windows Subsystem for Linux GUI requires user interaction, but patching means updating from the command line versus installing a patch. Finally, there are a couple of bugs in the RRAS protocol, which always seem to have something fixed each month.
Looking at the privilege escalation bugs receiving patches this month, most simply lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code. Others could lead to elevating levels of code execution integrity – moving from Low to Medium integrity or Medium to Local System for code execution. The EoP in Configuration Manager allows attackers to get configuration manager administrator privileges. The bugs in Administration Protection could allow an attack to bypass these protections and execute code as an administrator. There’s an interesting bug in OneDrive for Android that allows attackers to “gain unauthorized access to system resources,” which could then be used for further compromise. Finally, the patch for SQL Server corrects a SQL injection bug. The attacker would get the privileges of the process running the query, so if the query has elevated privileges, so does the attacker.
There are only two Security Feature Bypass (SFB) patches in November, and both have CoPilot as a component. One is a simple path traversal in the Visual Studio Code CoPilot Chat Extension. An attacker could use this to bypass file protections. The other bug is due to the improper validation of generative AI output by CoPilot on Visual Studio. This could also be used to bypass file protections.
There are only a few information disclosure bugs getting patched this month, and fortunately, the majority of these bugs only result in info leaks consisting of unspecified memory contents or memory addresses. The bug in Dynamics 365 (On-Premises) leaks the ever-elusive “sensitive information”. I should also point out that the bugs in License Manager were silently patched last month and are now being documented. I won’t shout from this soapbox for too long, but these are definitely a bad thing™ and should not be done.
The November release contains fixes for three Denial-of-Service (DoS) bugs, and their descriptions are somewhat – obtuse. While they all state that an attacker could deny service over a network (or locally) to that component, two of them state they could be used by a low-privilege Hyper-V guest to cause a DoS on the Hyper-V environment. It’s not clear how this would occur, but it if you’re running Hyper-V, don’t overlook these patches.
Finally, there are two spoofing bugs in Dynamics 365 Field Service (online) that manifest as cross-site scripting (XSS) bugs. Of course, a simple patch won’t fix these. Instead, you’ll need to go to the Power Platform admin center and apply the updates from there.
No new advisories are being released this month. However, there was an update to the latest servicing stack updates ADV990001.
Looking Ahead
The final Patch Tuesday of 2025 will be on December 9, and I’ll be back then with my analysis and thoughts about the release. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
Welcome to the third and final day of Pwn2Own Ireland 2025. So far, we’ve awarded $792,750 for 56 unique 0-day bugs, and we still have 17 attempts to go! We’ll be updating this blog with live results as we have them, so refresh often.
That’s all folks! Pwn2Own Ireland has come to a close. In total, we awarded $1,024,750 for 73 unique 0-day bugs. We’ve seen some amazing research over the last few day, and we can’t thank our competitors enough for bringing their
Welcome to the third and final day of Pwn2Own Ireland 2025. So far, we’ve awarded $792,750 for 56 unique 0-day bugs, and we still have 17 attempts to go! We’ll be updating this blog with live results as we have them, so refresh often.
That’s all folks! Pwn2Own Ireland has come to a close. In total, we awarded $1,024,750 for 73 unique 0-day bugs. We’ve seen some amazing research over the last few day, and we can’t thank our competitors enough for bringing their hard work and innovation to the contest. We also thanks all of the vendors who participated and special thanks to our partner Meta and co-sponsors Synology and QNAP. Their support has been invaluable in the success of the event. And of course - we have to congratulate the Summoning Team for winning Master of Pwn. They had some great bugs in multiple categories, and winning Master of Pwn shows their hard work preparing for the contest paid off. Here are the final Master of Pwn standings:
Our next event will be in Tokyo on January 21-23, 2026.. Join us for Pwn2Own Automotive then. See you in Japan!
WITHDRAW - CyCraft Technology has withdrawn their attempt against the Amazon Smart Plug.
FAILURE - Unfortunately, Daniel Frederic and Julien Cohen-Scali of Fuzzinglabs could not get their exploit of the QNAP TS-453E working within the time allotted.
SUCCESS/COLLISION - Xilokar (@Xilokar) used four bugs - including a auth bypass and an underflow - to exploit the Phillips Hue Bridge, but one of the bugs collided with a previous entry. He still earns $17,500 and 3.5 Master of Pwn points.
SUCCESS - Chris Anastasio of Team Cluck used a single type confusion bug to exploit the Lexmark CX532adwe printer. He earns himself $20,000 and 2 Master of Pwn points.
SUCCESS - Ben R. And Georgi G. of Interrupt Labs used an improper input validation bug to take over the Samsung Galaxy S25 - enabling the camera and location tracking in the process. They earn $50,000 and 5 Master of Pwn points.
SUCCESS/COLLISION - Yannik Marchand (kinnay) used three bugs - including an Incorrect Implementation of Authentication Algorithm - to exploit the Phillips Hue Bridge, but the other two bugs collided with bugs seen previously in the contest. He still earns $13,500 and 2.75 Master of Pwn points.
SUCCESS - David Berard of Synacktiv used a pair of bugs to exploit the Ubiquiti AI Pro in the Surveillance Systems category. The impressive display (including a round of Baby Shark) earns him $30,000 and 3 Master of Pwn Points.
SUCCESS - Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) used a hard-coded cred and an injection to take over the QNAP TS-453E. These unique bugs earn him $20,000 and 4 Master of Pwn points.
SUCCESS/COLLISION - Team Viettel used two bugs to exploit the Lexmark CX532adwe. While their heap based buffer over was unique, the other bug has been seen earlier in the contest. They still earn $7,500 and 1.5 Master of Pwn points. #Pwn2Own
SUCCESS - Team @Neodyme used a single integer overflow to exploit the Canon imageCLASS MF654Cdw. Their unique bugs earns them $10,000 for the 8th round win and 2 Master of Pwn points. #Pwn2Own
SUCCESS - Interrupt Labs combined a path traversal and an untrusted search path bug to exploit the Lexmark CX532adwe. They got a reverse shell and loaded Doom on the LCD. We couldn't play it though. Still awesome to see. They earn themselves $10,000 and 2 Master of Pwn points.
SUCCESS/COLLISION - The Thalium team from Thales Group (@thalium_team) needed 3 bugs to exploit the Phillips Hue Bridge, but only their heap based buffer overflow was unique. The others were seen earlier in the contest. They still earn $13,500 and 2.75 Master of Pwn points.
COLLISION - Evan Grant used a single bug to exploit the QNAP TS-453E, but, unfortunately, it had been used earlier in the contest. He still earns $10,000 and 2 Master of Pwn points. #Pwn2Own
SUCCESS - namnp of Viettel Cyber Security used a crypto bypass and a heap overflow to exploit the Phillips Hue Bridge. They earn $20,000 and 4 Master of Pwn points, which catapults them in the Top 5 in Master of Pwn standings.
WITHDRAW - Team Z3 has withdrawn their WhatsApp entry.
COLLISION - Bongeun Koo (@kiddo_pwn) and Evangelos Daravigkas (@freddo_1337) of Team DDOS used a single bug to exploit the QNAP TS-453E, but the bug has been previously seen in the contest. Their work still earns them $10,000 and 2 Master of Pwn points.
FAILURE - Unfortunately, Frisk and Opcode from the Inequation Group ctf team could not get their exploit of the Meta Quest 3S working within the time time allotted. They were able to cause a DoS, but did not achieve code execution.
Welcome to Day Two of Pwn2Own Ireland 2025. Yesterday, we awarded $522,500 for 34 unique 0-day bugs. The Summoning Team took a slim lead in the Master of Pwn, but big changes could happen today as we have 19 more attempts today. We’ll be updating this blog with results as they come in, so refresh often!
Day Two of Pwn2Own Ireland 2025 is complete! We saw some great work today, with the exploit of the Samsung Galaxy being the big highlight. So far, we have award
Welcome to Day Two of Pwn2Own Ireland 2025. Yesterday, we awarded $522,500 for 34 unique 0-day bugs. The Summoning Team took a slim lead in the Master of Pwn, but big changes could happen today as we have 19 more attempts today. We’ll be updating this blog with results as they come in, so refresh often!
Day Two of Pwn2Own Ireland 2025 is complete! We saw some great work today, with the exploit of the Samsung Galaxy being the big highlight. So far, we have awarded $792,750 for 56 unique 0-days. Tomorrow look to be even more exciting with another Galaxy attempt, a Met Quest attempt, and (of course) that big WhatsApp exploit everyone is talking about. Saty tuned as we provide real-time results throughout the day. Here’s the current Master of Pwn leader board. The Summoning Team has a commanding lead, but with WhatsApp being worth 100 points, anything can happen.
SUCCESS - Pwn2Own veterans PHP Hooligans used an OOB Write bug to exploit the Canon imageCLASS MF654Cdw printer. Their fifth round win earns them $10,000 and 2 Master of Pwn points.
Veteran competitors showing their skills
SUCCESS/COLLISION - Dinh Ho Anh Khoa and Phan Vinh Khang of Viettel Cyber Security used a unique command injection and two bugs that collided with previous bugs to exploit the Home Automation Green. They earn $12,500 and 2.75 Master of Pwn points.
Returning Master of Pwn champs getting started with a win
SUCCESS/COLLISION - Ho Xuan Ninh (@Xuanninh1412), Hoang Hai Long (@seadragnol) from Qrious Secure used 5 bugs to exploit the Phillips Hue Bridge, but only 3 were unique. They still earn $16,000 and 3.75 Master of Pwn points.
SUCCESS - Chumy Tsai (http://github.com/Jimmy01240397) of CyCraft Technology used a single code injection bug to exploit the QNAP TS-453E. His unique bug earns him $20,000 and 4 Master of Pwn points.
A canine confirmation for CyCraft Technologies
OUT OF SCOPE - Although Sina Kheirkhah's exploit of the Synology BeeStation Plus was successful, the entry was ruled out of scope for the competition.
SUCCESS/COLLISION - Team Neodyme used two bugs to exploit the Home Assistant Green, but only one was unique. They still earn $15,000 and 3 Master of Pwn points.
SUCCESS - TwinkleStar03 (@_twinklestar03) from the DEVCORE Intern Program used a unique stack based buffer overflow to get a sixth round win against the Canon imageCLASS MF654Cdw. He earns $10,000 and 2 Master of Pwn points.
COLLISION - Rafal Goryl from PixiePoint Security succeeded in exploiting the Phillips Hue Bridge, but the bugs he used were collisions with a previous entry. He still earns $10,000 and 2 Master of Pwn points.
COLLISION - Enrique Castillo (@hyprdude), McCaulay Hudson (@_mccaulay), Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) successfully exploited the Synology CC400W camera, but the bug they used was known to the vendor. They still earn $15,000 and 1.5 Master of Pwn points.
SUCCESS - Le Trong Phuc (chanze@VRC) and Cao Ngoc Quy (Chino Kafuu) of Verichains Cyber Force chained two unique bugs - including an auth bypass - to exploit the Synology DS925+ and run code as root. Their work earns them $20,000 and 4 Master of Pwn points.
FAILURE - Unfortunately, Tri Dang from Qrious Secure could not get his exploit of the Samsung Galaxy S25 in the time allotted. #Pwn2Own
SUCCESS - Ken Gannon / 伊藤 剣 of Mobile Hacking Lab, and Dimitrios Valsamaras of Summoning Team used five different bugs to exploit the Samsung Galaxy S25. They earn $50,000 and 5 Master of Pwn points.
COLLISION The PHP Hooligans used a buffer overflow to exploit the Phillips Hue Bridge, but the bug had been previously seen in the contest. They still earn $10,000 and 2 Master of Pwn points.
SUCCESS - Mehdi & Matthieu from team Synacktiv used a buffer overflow to exploit the Phillips Hue Bridge. Their unique bug earns them $20,000 and 4 Master of Pwn points.
SUCCESS - Team Neodyme (@Neodyme) used three bugs to exploit the Amazon Smart plug. In doing so, they earn themselves $20,000 and 2 Master of Pwn points.
COLLISION - The PHP Hooligans did exploit the QNAP TS-453E, but the bug they used was previously seen in the contest. They still earn $10,000 and 2 Master of Pwn points. #Pwn2Own
SUCCESS - Nao and @ExLuck99 from ANHTUD used a heap-based buffer overflow to exploit the Lexmark CX532adwe, but we penalized for a rules violation. The still earn $10,000 and 2 Master of Pwn points.
SUCCESS/COLLISION - ChatGPT helped Team ANHTUD as they used 3 bugs - 1 collision, 1 unique SSRF and 1 cleartext storage of sensitive information - to exploit Home Automation Green. They finished with just 45 seconds remaining. Their work earns them $16,750 and 3.75 Master of Pwn points.
COLLISION - Our final attempt of the day is a collision. Le Tran Hai Tung (@tacbliw), namnp and Le Duc Anh Vu (@vulda) of Viettel Cyber Security collided with a previous entry while exploiting the Canon mageCLASS MF654Cdw. They still earn $5,000 and 1 Master of Pwn points.
Entrar
