This study addresses the lack of systematic research on vulnerabilities in intelligent connected vehicles (ICVs), which has often been limited to isolated components and reliant on subjective analysis, failing to reflect real-world attack scenarios. For the first time, we conduct a large-scale empirical analysis based on 649 real-world exploitable vulnerabilities, integrating data from security competitions and researcher submissions. By employing vulnerability clustering, threat modeling, and risk stratification, we develop a comprehensive analytical framework encompassing six threat categories and four risk levels. Our investigation identifies one previously unreported vulnerability location and thirteen novel vulnerability types, extends and refines existing taxonomies, and bridges the gap between theory and practice. We also release a high-quality vulnerability dataset to support future ICV security research and policymaking.

Intelligent Connected Vehicles (ICVs) are a core component of modern transportation systems, and their security is crucial as it directly relates to user safety. Despite prior research, most existing studies focus only on specific sub-components of ICVs due to their inherent complexity. As a result, there is a lack of systematic understanding of ICV vulnerabilities. Moreover, much of the current literature relies on human subjective analysis, such as surveys and interviews, which tends to be high-level and unvalidated, leaving a significant gap between theoretical findings and real-world attacks. To address this issue, we conducted the first large-scale empirical study on ICV vulnerabilities. We began by analyzing existing ICV security literature and summarizing the prevailing taxonomies in terms of vulnerability locations and types. To evaluate their real-world relevance, we collected a total of 649 exploitable vulnerabilities, including 592 from eight ICV vulnerability discovery competitions, Anonymous Cup, between January 2023 and April 2024, covering 48 different vehicles. The remaining 57 vulnerabilities were submitted daily by researchers. Based on this dataset, we assessed the coverage of existing taxonomies and identified several gaps, discovering one new vulnerability location and 13 new vulnerability types. We further categorized these vulnerabilities into 6 threat types (e.g., privacy data breach) and 4 risk levels (ranging from low to critical) and analyzed participants'skills and the types of ICVs involved in the competitions. This study provides a comprehensive and data-driven analysis of ICV vulnerabilities, offering actionable insights for researchers, industry practitioners, and policymakers. To support future research, we have made our vulnerability dataset publicly available.