Description
Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle's anti-theft shutdown by forcing the Wireless Control Module (WCM) into the CAN bus-off state. Using a well-known CAN error-frame injection technique against a periodic WCM transmission, the attacker drives the WCM CAN controller's transmit error counter past the bus-off threshold, after which the WCM stops transmitting all messages, including the shutdown command. Peer ECUs do not interpret WCM silence as a security event and continue normal operation, allowing the motorcycle to be operated despite the immobilizer never having been unlocked. Specific protocol details have been withheld pending vendor remediation.
Published: 2026-05-29
Score: 4.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits an attacker with access to the vehicle’s CAN network to force the Wireless Control Module into a bus‑off state. By injecting well‑known CAN error frames against a periodic WCM transmission, the WCM’s transmit error counter exceeds the threshold, causing the module to cease all transmissions, including the immobilizer shutdown command. The vehicle’s other ECU units do not interpret this silence as a security event, so the motorcycle can continue to operate with the anti‑theft system disabled, effectively granting disengagement of the immobilizer without proper authorization.

Affected Systems

Indian Motorcycle (Polaris Inc.) Scout Bobber + Tech 2025 model year.

Risk and Exploitability

The attack requires proximity to the vehicle’s CAN network and the ability to inject error frames. The CVSS score of 4.1 indicates a moderate severity; exploit probability data (EPSS) is not available, and the vulnerability is not listed in CISA’s KEV catalog. Because the technique relies on standard CAN error handling, an attacker with physical access could reproduce the bus‑off condition, but there is no evidence of widespread exploitation. The primary consequence is the compromise of anti‑theft protection, allowing the vehicle to remain operable without proper authorization while other systems continue functioning normally.

Generated by OpenCVE AI on May 29, 2026 at 15:45 UTC.

Remediation

Vendor Solution

Treat absence of the WCM heartbeat as a security event in peer ECUs — command shutdown if the WCM's periodic message is missing beyond a bounded interval. Authenticate the heartbeat with AUTOSAR SecOC or equivalent to prevent post-silence spoofing. Auto-recover the WCM from bus-off and log the event.

OpenCVE Recommended Actions

  • Apply the vendor‑provided mitigation that treats the absence of the WCM heartbeat as a security event, initiates engine shutdown, uses AUTOSAR SecOC or equivalent to authenticate the heartbeat (CWE‑440), logs the event, and recovers from bus‑off.
  • Ensure that only authorized ECUs are allowed to send CAN error frames or influence the WCM’s transmit error counter; enforce least‑privilege access control (CWE‑693).
  • Implement strict bounds checking on the WCM transmit error counter thresholds and enforce a timeout for bus‑off recovery to prevent silent idle states from being interpreted as normal operation (CWE‑754).

Generated by OpenCVE AI on May 29, 2026 at 15:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Indian Motorcycle
Indian Motorcycle scout Bobber + Tech
Vendors & Products Indian Motorcycle
Indian Motorcycle scout Bobber + Tech

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle's anti-theft shutdown by forcing the Wireless Control Module (WCM) into the CAN bus-off state. Using a well-known CAN error-frame injection technique against a periodic WCM transmission, the attacker drives the WCM CAN controller's transmit error counter past the bus-off threshold, after which the WCM stops transmitting all messages, including the shutdown command. Peer ECUs do not interpret WCM silence as a security event and continue normal operation, allowing the motorcycle to be operated despite the immobilizer never having been unlocked. Specific protocol details have been withheld pending vendor remediation.
Title Indian Scout Bobber 2025 WCM CAN bus-off attack silently bypasses anti-theft shutdown
Weaknesses CWE-440
CWE-693
CWE-754
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 4.1, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Indian Motorcycle Scout Bobber + Tech
cve-icon MITRE

Status: PUBLISHED

Assigner: ASRG

Published:

Updated: 2026-05-29T15:26:58.445Z

Reserved: 2026-05-29T07:26:43.198Z

Link: CVE-2026-49316

cve-icon Vulnrichment

Updated: 2026-05-29T15:26:55.163Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T14:16:32.480

Modified: 2026-05-29T15:11:03.853

Link: CVE-2026-49316

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T16:00:15Z

Weaknesses