The conclusion of Pwn2Own Vancouver 2024 saw security researchers collecting a total of $1,132,500 after demonstrating 29 zero-day vulnerabilities across various software and products. Held over two days, the competition targeted fully patched systems in categories including web browsers, cloud-native/container, virtualization, enterprise applications, servers, local escalation of privilege (EoP), enterprise communications, and automotive.
Among the notable exploits, Team Synacktiv secured a Tesla Model 3 and $200,000 on the first day by exploiting the Tesla ECU with Vehicle (VEH) CAN BUS Control in under 30 seconds using an integer overflow. Manfred Paul emerged as the overall winner of Pwn2Own Vancouver 2024, earning 25 Master of Pwn points and $202,500 throughout the competition. Paul's exploits included hacking Apple Safari, Google Chrome, and Microsoft Edge web browsers, utilizing zero-day vulnerabilities.
Additional successful attempts and bug collisions on both days included:
Throughout the event, contestants demonstrated their prowess by exploiting vulnerabilities in a variety of systems, including Windows 11, Ubuntu Desktop, VMware Workstation, Oracle VirtualBox, and popular web browsers such as Apple Safari, Google Chrome, and Microsoft Edge.
Following the demonstration of zero-day vulnerabilities at Pwn2Own, vendors have 90 days to develop and release security patches before Trend Micro's Zero Day Initiative publicly discloses them.
Pwn2Own Vancouver 2024 showcased the ongoing challenge of securing modern systems against sophisticated cyber threats. With hackers continuing to find and exploit vulnerabilities, it underscores the importance of robust security measures and timely patching to mitigate the risk of cyberattacks.
