Description
Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during its boot window as a proxy for whether an immobilizer is fitted; if no WCM messages are observed, it skips the PIN entry screen and shows the normal user interface. An attacker who silences the WCM during the boot window — for example via a separately tracked CAN bus-off technique — can present a fully unlocked Infotainment despite the PIN never being entered. Specific timing and protocol details have been withheld pending vendor remediation.
Published: 2026-05-29
Score: 1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The infotainment system of the 2025 Scout Bobber+Tech incorrectly skips the PIN prompt when it does not detect Wireless Control Module (WCM) traffic during its boot window. Because the system uses WCM presence to infer that an immobilizer is installed, an attacker can silence the WCM by disabling the bus, causing the interface to appear unlocked without a PIN. This bypass allows an unauthorized user to access the infotainment functions and potentially further vehicle controls.

Affected Systems

Affected product is the Indian Motorcycle Scout Bobber + Tech 2025 infotainment system. No other variants or year models are explicitly listed. Only the 2025 model with the Digital Round display is mentioned.

Risk and Exploitability

The CVSS score for this flaw is 1, indicating a low overall severity. The EPSS score is not available, and the vulnerability is not in CISA's KEV catalog. The likely attack vector is through an adjacent CAN bus or a local network where the attacker can silence the WCM traffic during the boot window. Although the scoring suggests low exploitation probability, the impact of bypassing the PIN screen raises the risk for unauthorized vehicle access.

Generated by OpenCVE AI on May 29, 2026 at 15:21 UTC.

Remediation

Vendor Solution

Fail secure on WCM absence: if the Infotainment cannot positively identify a WCM via signed challenge-response with a per-boot nonce, default to a locked screen indicating WCM service required, rather than skipping the PIN entry.

OpenCVE Recommended Actions

  • Apply the vendor’s recommended fix: fail secure on WCM absence by locking the screen until WCM is positively identified.
  • Ensure WCM communications are actively monitored and not silenced during boot; maintain bus activity during vehicle startup.
  • Disable automatic PIN bypass in the vehicle’s network configuration if possible, requiring manual PIN entry regardless of WCM status.
  • Monitor for unusual silent periods on the WCM traffic within the vehicle’s diagnostic interface.

Generated by OpenCVE AI on May 29, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Indian Motorcycle
Indian Motorcycle scout Bobber + Tech
Vendors & Products Indian Motorcycle
Indian Motorcycle scout Bobber + Tech

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during its boot window as a proxy for whether an immobilizer is fitted; if no WCM messages are observed, it skips the PIN entry screen and shows the normal user interface. An attacker who silences the WCM during the boot window — for example via a separately tracked CAN bus-off technique — can present a fully unlocked Infotainment despite the PIN never being entered. Specific timing and protocol details have been withheld pending vendor remediation.
Title Indian Scout Bobber 2025 Infotainment Digital Round skips PIN entry when WCM is silent at boot
Weaknesses CWE-636
CWE-696
CWE-754
References
Metrics cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 1, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Indian Motorcycle Scout Bobber + Tech
cve-icon MITRE

Status: PUBLISHED

Assigner: ASRG

Published:

Updated: 2026-05-29T15:26:14.561Z

Reserved: 2026-05-29T07:26:43.198Z

Link: CVE-2026-49317

cve-icon Vulnrichment

Updated: 2026-05-29T15:26:11.728Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T14:16:32.630

Modified: 2026-05-29T15:11:03.853

Link: CVE-2026-49317

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:46:34Z

Weaknesses