#NSBCS.118 - Pwn2Own Automotive 2026: Your Car Is Not More Secure Than Your Devices
Pwn2Own Automotive 2026, held at the Automotive World 2026 conference in Tokyo, delivered a clear message: modern cars are no longer isolated machines as they are complex, connected systems facing the same cybersecurity risks as everyday devices. Organised by Zero Day Initiative, the competition brought together elite security researchers who collectively uncovered dozens of previously unknown vulnerabilities. With over $1 million in rewards paid out for 76 zero-day exploits, the event demonstrated that today’s vehicles are just as exposed to sophisticated attacks as smartphones, laptops, and IoT devices.
The targets in the competition reflected how deeply software is embedded in modern mobility. Researchers successfully attacked in-vehicle infotainment systems from brands like Sony and Alpine, as well as platforms built on Automotive Grade Linux. Even more concerning, electric vehicle charging infrastructure, while often overlooked by consumers, proved to be a critical weak point. Chargers from vendors such as Autel and Phoenix Contact were compromised, showing that the ecosystem surrounding your car can be just as vulnerable as the vehicle itself.
The exploits demonstrated during the event were not theoretical and they mirrored the kinds of attacks seen in traditional computing. Participants used memory corruption bugs, race conditions, and logic flaws to gain root access, execute arbitrary code, and move laterally across systems. One of the most striking examples involved a successful compromise of an EV fast charger from Alpitronic, where researchers achieved code execution through the charging interface. This kind of attack highlights a critical shift: plugging in your car can now carry risks similar to connecting a USB device to your computer.
Taking the top honour, the “Master of Pwn” title went to Fuzzware.io, whose researchers chained together high-impact exploits across multiple targets. Their success underscores a broader reality—cars are no longer just mechanical systems but fully networked computing platforms. As vehicles continue to evolve, the line between automotive security and traditional IT security is rapidly disappearing. The takeaway from Pwn2Own Automotive 2026 is hard to ignore: your car now demands the same level of cybersecurity awareness as any other connected device you rely on daily.
What we read this week
Hasbro Investigates Major Cyberattack with Systems Taken Offline - Toymaker Hasbro has confirmed it is investigating a cybersecurity incident after detecting unauthorised access to its network on 28 March 2026. The company engaged third-party experts and took certain systems offline as a precautionary measure while assessing the full scope of the breach, including any potential data compromise. This attack on a major consumer-goods manufacturer highlights the persistent risk to supply chains and operational technology in non-traditional critical sectors. Organisations are advised to review vendor risk management processes, implement strict network segmentation, enable continuous monitoring for anomalous activity, and maintain tested offline backups to limit the impact of similar intrusions.
CERT-UA Impersonation Campaign Delivers AGEWHEEZE Remote Access Trojan - Ukraine’s Computer Emergency Response Team has warned of a targeted phishing operation in which threat actors impersonated CERT-UA itself, sending over one million emails on 26 and 27 March 2026 to state organisations, medical centres, security firms, educational institutions, financial entities, and software developers. The lures directed recipients to download a password-protected ZIP file containing Go-based AGEWHEEZE malware disguised as official protection software. The campaign exploited trust in national cybersecurity authorities to achieve initial access and establish persistent remote control. Organisations should verify all official communications through secondary channels, block unsolicited ZIP attachments, deploy advanced email gateway filtering, and train staff to recognise authority-impersonation tactics.
Google Links Axios Supply-Chain Attack to North Korean Threat Actors - Google’s Threat Intelligence Group has attributed a sophisticated supply-chain compromise of the popular Axios JavaScript library to a North Korean-linked group, warning that the attack could enable widespread downstream compromises across thousands of developer environments and web applications. Attackers injected malicious code into the library’s distribution pipeline, targeting open-source dependencies used in enterprise and government software projects. The incident underscores the growing risk of software supply-chain attacks by nation-state actors. Development teams and organisations should enforce dependency integrity checks, implement SBOM monitoring, isolate build environments, and subscribe to timely threat intelligence feeds on open-source ecosystem risks.
Critical Chrome Zero-Day CVE-2026-5281 Actively Exploited in the Wild - Google has released emergency patches for 21 vulnerabilities in Chrome, including the actively exploited zero-day CVE-2026-5281 affecting the Dawn WebGPU component. The flaw allows remote code execution without user interaction and has been observed in targeted attacks shortly after disclosure. CISA has already added the vulnerability to its Known Exploited Vulnerabilities catalogue. With Chrome’s dominant market share, the risk extends to both enterprise and consumer environments. Organisations must prioritise immediate browser updates across all endpoints, enforce automatic patching policies, and monitor for exploitation attempts via web traffic analysis and endpoint detection tools.
CISA Directs Federal Agencies to Patch Critical Citrix NetScaler Vulnerability - CISA has issued an urgent directive requiring Federal Civilian Executive Branch agencies to patch a high-severity flaw in Citrix NetScaler products by Thursday or discontinue use of affected versions. The vulnerability enables unauthenticated remote attackers to compromise perimeter devices widely deployed in government and enterprise networks. Exploitation could lead to full network pivoting and data exfiltration. This advisory serves as a timely reminder for all organisations running Citrix infrastructure. Immediate actions include applying the latest patches, restricting public exposure of management interfaces, reviewing logs for indicators of compromise, and accelerating migration to zero-trust network architectures where feasible.
Referenceshttps://www.reuters.com/technology/hasbro-says-investigating-cybersecurity-incident-2026-04-01/https://thehackernews.com/2026/04/cert-ua-impersonation-campaign-spread.htmlhttps://therecord.media/google-links-axios-supply-chain-attack-north-koreahttps://www.securityweek.com/exploited-zero-day-among-21-vulnerabilities-patched-in-chrome/https://therecord.media/cisa-tells-federal-agencies-to-patch-citrix-netscaler-bug