Description
Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during its boot window as a proxy for whether an immobilizer is fitted; if no WCM messages are observed, it skips the PIN entry screen and shows the normal user interface. An attacker who silences the WCM during the boot window — for example via a separately tracked CAN bus-off technique — can present a fully unlocked Infotainment despite the PIN never being entered. Specific timing and protocol details have been withheld pending vendor remediation.
Published: 2026-05-29
Score: 1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Infotainment system in the Indian Motorcycle Scout Bobber + Tech 2025 model determines whether to prompt for a PIN by listening for Wireless Control Module traffic during a boot window. When no such traffic is detected, the system assumes an immobilizer is absent and skips the PIN entry screen, presenting the normal user interface. An attacker in proximity can silence the WCM by inducing a CAN bus-off state, causing the system to bypass the PIN requirement and appear fully unlocked. This flaw allows unauthorized individuals to access the vehicle without the legitimate PIN, effectively compromising vehicle security and potentially enabling further vehicle exploitation.

Affected Systems

Indian Motorcycle (Polaris Inc.) Scout Bobber + Tech 2025 infotainment system

Risk and Exploitability

The CVSS base score of 1 indicates a low severity level, and the EPSS score is not available. The crash is not listed in the CISA KEV catalog. The exploit requires a local or adjacent network presence, such as a CAN bus attack, and requires the attacker to silence the WCM during system boot. While the risk of exploitation in the wild is considered low, security‐aware users should still treat the flaw with caution because it permits bypass of a fundamental security control.

Generated by OpenCVE AI on May 29, 2026 at 15:16 UTC.

Remediation

Vendor Solution

Fail secure on WCM absence: if the Infotainment cannot positively identify a WCM via signed challenge-response with a per-boot nonce, default to a locked screen indicating WCM service required, rather than skipping the PIN entry.

OpenCVE Recommended Actions

  • Apply the vendor’s security update that locks the infotainment screen when no WCM traffic is detected during boot.
  • Ensure the system implements a signed, per‑boot challenge‑response with the WCM to confirm its presence before allowing user access.
  • Secure diagnostic ports and employ network monitoring to detect and block unauthorized CAN bus‑off or other traffic manipulation attempts.

Generated by OpenCVE AI on May 29, 2026 at 15:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Indian Motorcycle
Indian Motorcycle scout Bobber + Tech
Vendors & Products Indian Motorcycle
Indian Motorcycle scout Bobber + Tech

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during its boot window as a proxy for whether an immobilizer is fitted; if no WCM messages are observed, it skips the PIN entry screen and shows the normal user interface. An attacker who silences the WCM during the boot window — for example via a separately tracked CAN bus-off technique — can present a fully unlocked Infotainment despite the PIN never being entered. Specific timing and protocol details have been withheld pending vendor remediation.
Title Indian Scout Bobber 2025 Infotainment Digital Round skips PIN entry when WCM is silent at boot
Weaknesses CWE-636
CWE-696
CWE-754
References
Metrics cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 1, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Indian Motorcycle Scout Bobber + Tech
cve-icon MITRE

Status: PUBLISHED

Assigner: ASRG

Published:

Updated: 2026-05-29T14:07:27.548Z

Reserved: 2026-05-29T07:26:43.198Z

Link: CVE-2026-49318

cve-icon Vulnrichment

Updated: 2026-05-29T14:07:24.097Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T14:16:32.780

Modified: 2026-05-29T15:11:03.853

Link: CVE-2026-49318

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:46:31Z

Weaknesses