The automotive industry recorded 405 cybersecurity incidents in the first quarter of 2026, according to VicOne’s latest Situational Awareness Report, with EV charging infrastructure attacks tripling and ransomware continuing to plague the supply chain. The report, released by VicOne’s CyberThreat Research Lab, paints a stark picture of an industry under escalating digital siege.
The numbers that should worry every fleet operator
- 405 total incidents recorded across automotive, transportation, and logistics sectors in Q1 2026
- EV charging attacks tripled compared to Q4 2025, driven by expanding attack surfaces in charging infrastructure
- Ransomware remained dominant, with logistics fleets and Tier 1 suppliers as primary targets
- AI emerged as a new attack surface, with AI supply chain attacks targeting development tooling used by automotive OEMs
- Pwn2Own Automotive 2026 revealed 76 zero-day vulnerabilities across EV chargers, IVI systems, and telematics units, with $1,047,000 awarded to researchers
EV Charging: From Device Risk to Ecosystem Threat
VicOne’s research found that EV charging security can no longer be treated as a device-level problem. Each charging session connects charger hardware, vehicle systems, mobile apps, and cloud platforms into a single attack surface. At Pwn2Own Automotive 2026 in Tokyo, researchers successfully exploited EV chargers from multiple manufacturers, demonstrating that both OCPP (Open Charge Point Protocol) implementations and charger firmware remain critically vulnerable.
The threefold increase in EV charging incidents reflects what VicOne calls an “infrastructure-level” risk that demands coordinated controls across hardware, communications, and cloud layers.
Linux Kernel Flaws: Copy Fail and DirtyFrag
VicOne’s CyberThreat Research Lab also highlighted two critical Linux kernel vulnerabilities — Copy Fail (CVE-2026-31431) and DirtyFrag — that pose direct risks to automotive systems. As modern vehicles increasingly run Linux-based IVI (In-Vehicle Infotainment) systems and ADAS platforms, kernel-level flaws create potential pathways for privilege escalation and arbitrary code execution within the vehicle network.
VicOne has mapped these vulnerabilities to MITRE ATT&CK categories and deployed detection signatures via its xCarbon in-vehicle IDPS platform.
When cargo becomes a hostage
In a parallel research thread, the lab identified key vulnerability classes in fleet management applications, including Electronic Logging Device (ELD) systems running on Android. The report “Shifts in the Supply Chain” details how ransomware groups have shifted focus from dealerships to logistics fleets, exploiting weak ELD data integrity and unpatched Android vulnerabilities in telematics gateways.
AI Supply Chain Attacks: Automotive OEMs in the Crosshairs
VicOne warned that AI supply chain attacks are no longer theoretical. Attackers are exploiting AI development tooling used by automotive OEMs, with techniques including model poisoning, adversarial inputs, and compromised AI libraries making their way into production vehicles. The report recommends that OEMs implement software bill of materials (SBOM) validation for AI components and deploy runtime AI security monitoring via platforms such as VicOne’s xPhinx.
Governments start demanding answers from automakers
The Q1 2026 findings arrive as UN Regulation R155 compliance deadlines continue to expand globally. Japan, South Korea, and several ASEAN markets have now adopted R155-type approval requirements, while India’s AIS-189 regulation enters enforcement phases. The European Union’s Cyber Resilience Act (CRA) is also set to impose stricter vulnerability disclosure and patching requirements on connected vehicle components sold in the bloc.
VicOne will present a deeper breakdown of these findings at the upcoming Auto-ISAC European Summit and at ESCAR USA later this year.
— Reporting by the CarThreat editorial team, drawing on VicOne CyberThreat Research Lab data and public incident disclosures.
