VicOne, an automotive cybersecurity company and Trend Micro subsidiary, tracks cybersecurity incidents across the automotive ecosystem as part of its ongoing threat intelligence mission. This Q1 2026 Situational Awareness Report summarizes observed incidents, ransomware activity, and common weakness enumeration (CWE) analyses from January through March 2026, covering risk distributed across enterprise systems, vehicles, and supporting infrastructure.
TL;DR: VicOne recorded 405 cybersecurity incidents across the automotive ecosystem in Q1 2026, up from 378 in Q4 2025. Ransomware remained persistent, EV charging infrastructure incidents more than tripled, and AI emerged as a new attack surface across both enterprise and vehicle environments.
Q1 2026 executive highlights
High activity across the automotive ecosystem: 405 incidents were recorded in Q1 2026 (compared with 378 incidents in Q4 2025), with activity concentrated in Europe and primarily affecting enterprise IT and in-vehicle systems.
Ransomware landscape evolving: Multiple threat actors were active, with The Gentlemen emerging as a new leading group with 19 observed incidents, alongside Akira (18) and other actors. These targeted logistics, suppliers, and service providers across the automotive value chain.
Charging infrastructure incidents rising: A more than threefold increase in incidents (7 in Q4 2025 to 26 in Q1 2026) highlights growing risk in EV charging systems.
AI introduces new exposure: AI is increasingly shaping both attack methods and system risk, acting as a high-access dependency across enterprise and vehicle environments that can centralize and expose sensitive data.
Threat landscape
VicOne's Q1 2026 threat data shows how cybersecurity activity is distributed across regions and domains within the automotive ecosystem. In total, VicOne recorded 405 incidents during the quarter.
Regional distribution
Figure 1. Distribution of incidents by region in Q1 2026, with Europe accounting for the largest share. Global incidents also increased, indicating more campaigns affecting multiple geographies.
From a regional perspective, Europe recorded the highest number of incidents (161), followed by the Americas (140) and Asia (72), while other regions accounted for a smaller share of observed activity. In total, 405 incidents were recorded in Q1 2026.
It is also worth noting that global incidents increased substantially, rising from 9 in Q4 2025 to 28 in Q1 2026, indicating a higher presence of campaigns affecting multiple geographies.
Domain distribution
Figure 2. Distribution of incidents by domain in Q1 2026, with enterprise IT systems and in-vehicle systems accounting for the majority of observed activity
Enterprise IT systems accounted for the largest share of incidents (210), followed by in-vehicle systems (129). Charging infrastructure (26) and operational technology systems (20) also contributed to overall exposure, while connected vehicle backend services (18) and vehicle companion apps (2) accounted for a smaller portion of observed incidents.
In Q1 2026, multiple vulnerabilities disclosed in EV charging systems highlight growing exposure in this domain. For example, a security audit conducted by Quarkslab of an open-source EV charging platform identified several high-severity issues, including denial-of-service conditions, session handling weaknesses, and memory-related vulnerabilities. These exposures contribute to the more than threefold increase in charging infrastructure incidents, from 7 in Q4 2025 to 26 in Q1 2026.
Notable real-world incidents in Q1 2026
VicOne's threat intelligence identified the following notable incidents across the automotive ecosystem during Q1 2026:
Enterprise IT systems as entry points: Ongoing campaigns targeting SSO and SaaS platforms, including phishing and social engineering attacks, highlight how attackers gain initial access to automotive organizations.
In-vehicle infotainment (IVI) system compromise: Recent research demonstrates full compromise of a European carmaker’s IVI systems via hard-coded root credentials and OTA bypass techniques, reinforcing persistent risks within vehicle platforms.
Ecosystem and backend dependencies: Incidents involving cloud service disruptions and third-party providers in a European OEM illustrate how external system failures can directly impactvehicle access and operation.
Third-party service disruption impacting vehicle access: A cyberattack on a vehicle breathalyzer service provider disrupted backend systems, preventing drivers from starting their vehicles.
Connectivity-related immobilization across multiple OEMs: Following reports in December 2025 of a luxury car brand being immobilized in Russia due to a VTS-related lockout, similar incidents have now been observed in other OEMs, highlighting the risks associated with shared dependencies and external systems.
As these observations are based on Q1 2026 data, the threat landscape may evolve in the coming months.
Ransomware activities
Ransomware activity in Q1 2026 remained persistent across the automotive ecosystem, with VicOne observing incidents across multiple threat actors and target segments. Monthly data shows a gradual decline from January (66 incidents) to March (50), suggesting an active start to the year followed by a slight tapering. February recorded 64 incidents.
Leading ransomware groups in Q1 2026
Figure 3. Monthly distribution of ransomware incidents in Q1 2026, showing sustained activity throughout the quarter with a gradual decline from January to March
Figure 4. Ransomware activity in Q1 2026 by threat actor, with The Gentlemen emerging as a leading group alongside Akira and other actors
Multiple ransomware groups contributed to the overall volume, with The Gentlemen (19 incidents) and Akira (18) leading observed activity, followed by INC Ransom, Qilin, and 0APT, alongside a long tail of smaller actors.
The Gentlemen ransomware group, which led observed activity in Q1 2026, targeted organizations across the automotive value chain. Some of the reported victims include an automotive parts supplier in Taiwan, an agricultural equipment dealer in Austria, and a regional passenger transport operator in Italy.
First documented in August 2025, the group has demonstrated advanced capabilities in compromising enterprise environments, including the abuse of legitimate tools, privilege escalation, and tailored techniques to bypass security controls.
Ransomware by industry segment
Figure 5. Distribution of ransomware incidents by industry in Q1 2026
The ransomware incidents in Q1 2026 were concentrated in logistics and transportation (61), followed by suppliers (38) and dealer and retailer networks (32). This distribution highlights a focus on operationally critical segments of the automotive value chain, where disruption can have downstream impact across manufacturing, distribution, and service delivery.
Several notable incidents this quarter illustrate how ransomware is evolving beyond traditional enterprise IT disruption into broader operational and ecosystem-level risk:
A ransomware incident involving an EV charging provider resulted in the exposure of customer data following abnormal activity in its cloud environment.
An OEM based in Shanghai, China, was reportedly targeted by BEAST ransomware, with approximately 700GB of company-wide data leaked.
CWE analysis
A comparison of the top CWE IDs observed in Q4 2025 and Q1 2026 provides a snapshot of vulnerability patterns across the automotive ecosystem. While the data reflects only one quarter of activity, it highlights differences in the types of weaknesses observed across environments.
| Top CWEs in Q1 2026 | Count | Top CWEs in Q4 2025 | Count |
|---|---|---|---|
| CWE-306: Missing Authentication for Critical Function | 18 | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 30 |
| CWE-613: Insufficient Session Expiration | 14 | CWE-306: Missing Authentication for Critical Function | 9 |
| CWE-307: Improper Restriction of Excessive Authentication Attempts | 11 | CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') | 8 |
| CWE-522: Insufficiently Protected Credentials | 11 | CWE-121: Stack-based Buffer Overflow | 7 |
| CWE-416: Use After Free | 10 | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 7 |
| CWE-121: Stack-based Buffer Overflow | 7 | CWE-23: Relative Path Traversal | 6 |
| CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | 6 | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | 5 |
| CWE-400: Uncontrolled Resource Consumption | 6 | CWE-787: Out-of-bounds Write | 5 |
| CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 6 | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 4 |
| CWE-863: Incorrect Authorization | 5 | CWE-20: Improper Input Validation | 3 |
Table 1. Top 10 CWE IDs observed in Q1 2026 and Q4 2025
Overall CWE trends: Q4 2025 vs. Q1 2026
Across the top 10 CWE IDs, Q4 2025 is characterized by a higher concentration of input-driven vulnerabilities, including cross-site scripting (XSS), command injection, and path traversal. In contrast, Q1 2026 shows a greater prevalence of authentication, session management, and credential-related weaknesses, including missing authentication, insufficient session expiration, and weak credential protection. Memory-related issues such as use-after-free and buffer overflows also appear more prominently in Q1 2026.
While vulnerabilities span multiple domains, the following sections focus on charging infrastructure and in-vehicle systems, where risks have more direct implications for vehicle operation and connected services.
Charging infrastructure vulnerabilities
Within charging infrastructure, vulnerability patterns in Q1 2026 are dominated by authentication and session management weaknesses. The most frequently observed issues include missing authentication, insufficient session expiration, improper restriction of authentication attempts, and insufficiently protected credentials.
In contrast, Q4 2025 reflects low-frequency and fragmented technical vulnerabilities, including isolated instances of memory-related issues, buffer overflows, and data exposure. The concentration of authentication-related weaknesses in Q1 highlights the importance of strengthening access controls and identity mechanisms across charging systems and their supporting platforms.
| Top Charging Infrastructure CWEs in Q1 2026 | Count | Top Charging Infrastructure CWEs in Q4 2025 | Count |
|---|---|---|---|
| CWE-306: Missing Authentication for Critical Function | 13 | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer | 1 |
| CWE-613: Insufficient Session Expiration | 12 | CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | 1 |
| CWE-307: Improper Restriction of Excessive Authentication Attempts | 11 | CWE-121: Stack-based Buffer Overflow | 1 |
| CWE-522: Insufficiently Protected Credentials | 11 | CWE-122: Heap-based Buffer Overflow | 1 |
| CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | 6 | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | 1 |
Table 2. Top CWE IDs observed in Q1 2026 compared to Q4 2025
In-vehicle system vulnerabilities
In-vehicle systems exhibit a different pattern, with Q1 2026 showing a stronger presence of memory safety vulnerabilities, including use-after-free and stack-based buffer overflows. These are accompanied by lower-frequency issues related to authentication bypass and cryptographic weaknesses.
In Q4 2025, observed vulnerabilities in in-vehicle systems are more fragmented, consisting of a mix of authentication, memory-related, and input validation issues without a clear dominant pattern. The increased presence of memory and low-level software vulnerabilities in Q1 reflects the complexity of modern vehicle platforms and their reliance on embedded systems.
| Top In-Vehicle CWEs in Q1 2026 | Count | Top In-Vehicle CWEs in Q4 2025 | Count |
|---|---|---|---|
| CWE-416: Use After Free | 6 | CWE-306: Missing Authentication for Critical Function | 3 |
| CWE-121: Stack-based Buffer Overflow | 4 | CWE-121: Stack-based Buffer Overflow | 2 |
| CWE-1241: Use of Predictable Algorithm in Random Number Generator | 1 | CWE-126: Buffer Over-read | 1 |
| CWE-288: Authentication Bypass Using an Alternate Path or Channel | 1 | CWE-129: Improper Validation of Array Index | 1 |
| CWE-294: Authentication Bypass by Capture-replay | 1 | CWE-269: Improper Privilege Management | 1 |
Table 3. Top CWE IDs observed in in-vehicle systems in Q1 2026 compared to Q4 2025
Key takeaway: In Q1 2026, authentication and access control weaknesses are prominent across externally connected platforms, including EV charging infrastructure, and are fundamentally preventable through secure design and implementation practices. Memory safety and low-level software issues are more prevalent in in-vehicle environments, reflecting the inherent complexity of embedded systems.
AI-related incidents
Several notable incidents in Q1 2026 highlight the growing role of artificial intelligence (AI) across enterprise and vehicle environments. VicOne's threat intelligence tracked three distinct cases that illustrate how AI is reshaping both attack methods and system exposure.
AI-assisted exploit chaining: Researchers demonstrated how AI-assisted tools can be used to identify vulnerabilities, chain exploits, and gain administrator access to cloud environments within minutes. Following initial access, attackers were observed abusing the victim's AI services, including large language models (LLMs), for data extraction and resource consumption.
AI agent account compromise: VicOne's dark web intelligence observed threat actors offering data reportedly obtained through an automotive supplier executive's AI agent account serving major OEM clients. Although the AI agent has since been removed, the incident highlights how AI systems can centralize access to sensitive enterprise and ecosystem data, creating a high-value target for attackers.
AI-assisted vehicle system reverse engineering: A researcher demonstrated how Claude Code, an AI coding tool developed by Anthropic, can interpret raw controller area network (CAN) bus signals and assist in reverse engineering vehicle communications, enabling faster interaction with vehicle systems.
These incidents highlight the growing role of AI in shaping both attack methods and system exposure. A separate case involving Anthropic, where a protected AI model was reportedly accessed shortly after deployment, further illustrates how AI models are becoming a hidden dependency in automotive cybersecurity.
As AI systems become more integrated into enterprise workflows and vehicle platforms, organizations should closely monitor how these technologies are deployed, secured, and granted access to sensitive systems and data. VicOne continues to track AI-related threat activity as part of its automotive threat intelligence program.
Conclusion
VicOne's Q1 2026 Situational Awareness Report documents 405 cybersecurity incidents across the automotive ecosystem, reflecting sustained and evolving threat activity. Activity spans multiple domains, from enterprise IT and in-vehicle systems to EV charging infrastructure, reflecting the realities of what VicOne describes as the Overlap Era: a period in which legacy systems and modern, connected platforms coexist and share risk exposure. The growing role of AI adds another layer of complexity to this landscape.
In this environment, organizations should prioritize three areas:
Strengthening visibility across domains: Threats are distributed across enterprise IT, in-vehicle systems, charging infrastructure, and backend services. Siloed monitoring creates gaps that attackers exploit.
Securing high-access systems: AI agents, SSO platforms, and cloud dependencies have become high-value targets precisely because they centralize access. Governance and access controls for these systems require the same rigor applied to traditional IT infrastructure.
Continuously monitoring critical dependencies: Third-party providers, connectivity platforms, and shared services can directly impact vehicle operation when compromised. Dependency mapping and continuous monitoring are essential.
Resilience will depend on how quickly organizations can detect, respond to, and adapt across the evolving mobility ecosystem. VicOne supports this through capabilities including vehicle security operations centers (VSOCs) and AI-driven threat intelligence platforms that enable proactive visibility and rapid containment across the automotive value chain.
