77 distinct CWEs mapped in Q1 2026, up from 64 in Q4 2025

Pwn2Own Automotive 2026 had a record 73 entries

Quarkslab's audit of EVerest open-source EV charging stack found 6 high-severity, 6 medium-severity, 5 low-severity and 3 informational issues

Ultra-Fast Wireless Charging hack drained 76% of EV power on the Alpitronic HYC50 commercial DC fast charger

DefenseWeaver multi-agent LLM identified 11 critical attack paths across four automotive projects in TARA testing

Quarkslab bypassed the 16-byte RH850 debug password protection using voltage fault injection

Kenwood DNR1007XR aftermarket head unit exposes a Linux login prompt over UART at 115200 bps via a hidden board-edge connector

Ransomware group exfiltrated nearly 1 TB of data from a major Asian vehicle manufacturer's customer and dealership environment in early January 2026 via a third-party vendor

Delta Alarm cyberattack disabled mobile-app vehicle controls for hundreds of thousands of Russian vehicle owners for up to two weeks in late January 2026

Delta Alarm took approximately five days to restore partial functionality and nearly two weeks to fully recover from the cloud control plane attack

US Commerce Department rule prohibits Chinese and Russian connected-vehicle software starting Model Year 2027

US connected vehicle hardware restrictions arrive for Model Year 2030 or January 1, 2029 for non-model-year components

US connected vehicle rule covers vehicles under 10,001 pounds

China's amended Cybersecurity Law took effect on 1 January 2026 (passed 28 October 2025) with raised penalties and extraterritorial reach

64 distinct CWEs mapped in Q4 2025, down from 82 in Q3 2025

Over 100 advertised leaks and ransomware breaches targeted the automotive supply chain on the dark web in Q4 2025

UK SI 2025/1110 mandates UN R155 and R156 for type-approval effective 13 November 2025

EU Delegated Regulation 2025/1455 extends UN R155 to L-category vehicles: new types compliant by 11 December 2027, existing types by 11 June 2029

ControlLoc adversarial attack on AV object trackers achieved up to 98.5% success digitally and over 79% in physical tests against the Baidu Apollo stack

US Tier-1 automotive supplier had approximately 1.9 TB of internal files publicly posted on an extortion site at the end of October 2025