PCA Cyber Security has published a report showing a 105% year-on-year rise in automotive cybersecurity vulnerabilities. The findings cover automotive-specific vulnerabilities and incidents recorded in the first quarter.
The Budapest-based cybersecurity firm identified 265 new automotive CVEs in the quarter, up 28% from the previous quarter. It also found a sharper severity profile, judging that 88% of the vulnerabilities could be exploited without specialised tools or extensive preparation.
The figures point to a growing security challenge for connected and software-defined vehicles, including electric vehicles, as more functions depend on software, telematics and networked systems. Attack methods are expanding, while the effort needed to exploit many weaknesses is falling.
Entry points
Of the 14 distinct entry methods identified in the report, in-vehicle Ethernet networks were the most common. According to the analysis, Ethernet accounted for 25% of the vulnerabilities tracked in the quarter.
The shift matters because carmakers are using Ethernet more widely inside vehicles as they replace older network architectures and add connected features. If systems are not designed and tested with security in mind, that same change can widen the attack surface.
PCA's findings suggest automotive cyber risk is no longer limited to isolated vehicle components. The report links vulnerabilities in vehicle systems to weaknesses in cloud services, mobile apps, support operations and online marketplaces around the car.
Real-world incidents
The quarter also brought a series of incidents showing how digital attacks can affect drivers directly. One of the most striking involved a Russian telematics provider whose mobile app offered remote locking, unlocking and engine-start functions.
A cyberattack on the provider in January left car owners across Russia unable to unlock doors or start engines. According to PCA, owners of newer vehicles without physical ignition keys had to wait almost two weeks before services returned to normal.
The report also highlighted a separate breach at a major online automotive marketplace. In that case, 12.4 million user records were exposed after the company's help desk was compromised in a voice phishing attack attributed to ShinyHunters.
The incident illustrates how risks in the automotive sector extend well beyond the vehicle itself. Consumer data, digital retail platforms and customer support channels are all becoming part of the industry's cyber exposure as car buying and vehicle management move online.
Another example came from the latest Pwn2Own Automotive competition, where ethical hackers test connected vehicles, EV chargers and automotive software for flaws. PCA said the event drew 73 entries, a new high, and uncovered zero-day vulnerabilities in Tesla infotainment, mainstream head units and common EV chargers.
Operational pressure
The combination of more vulnerabilities, more accessible attack paths and more visible incidents is increasing pressure on carmakers and suppliers to tighten cyber controls. It also raises questions about whether existing review processes can keep pace as software content in vehicles continues to grow.
PCA argued that automated discovery of vehicle exploits is outpacing the manual auditing practices used to assess vehicle security. If that gap widens, manufacturers could be left reacting to threats after products are deployed rather than identifying weaknesses earlier in development.
One response, PCA argued, would be a shift towards what it described as a degraded-mode telematics architecture. The aim is to keep essential vehicle functions working during cloud outages or attacks, reducing the risk that drivers lose access to basic controls when connected services fail.
Vlad Ryabyshkin set out the firm's view of the trend. "2026 is the year automotive cybersecurity stops being a policy alignment exercise and becomes operational proof. The Q1 data shows threats are scaling faster than traditional defences, and the human perimeter and cloud control plane are now as critical as the in-vehicle network," Ryabyshkin said.
PCA specialises in embedded cybersecurity work, including penetration testing, threat intelligence and continuous monitoring, in the automotive and financial services sectors. Founded in 2019, the company is headquartered in Budapest and has offices in Munich and Florida.