Description
Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by passively observing a single PIN authentication exchange. The Infotainment Digital Round display computes its response using a non-cryptographic operation rather than a cryptographic challenge-response, so the PIN is mathematically derivable from one captured exchange, defeating the motorcycle's primary user-authentication control. Specific protocol details have been withheld pending vendor remediation.
Published: 2026-05-29
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Weak authentication in the Wireless Control Module of the Indian Motorcycle Scout Bobber + Tech 2025 model allows an attacker on an adjacent network, with read access to the in‑vehicle network, to recover the user‑set unlock PIN by passively observing a single authentication exchange. The infotainment system uses a non‑cryptographic operation to compute its response, making the PIN mathematically derivable, which undermines the motorcycle’s primary user‑authentication control and permits an attacker to unlock the vehicle without the user’s knowledge.

Affected Systems

The vulnerability affects Indian Motorcycle vehicles, specifically the Scout Bobber + Tech 2025 model year, where the infotainment digital round display communicates with the Wireless Control Module. No other products or older model years are listed, and the manufacturer identifies only the 2025 model as impacted.

Risk and Exploitability

The CVSS score of 4.1 indicates moderate severity; the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The attack does not require advanced skills or credentials beyond proximity and the ability to read the local in‑vehicle network traffic. The exploit is passive, relying on a single captured exchange, and therefore is relatively easy to execute for an attacker within range.

Generated by OpenCVE AI on May 29, 2026 at 08:50 UTC.

Remediation

Vendor Solution

Replace the non-cryptographic response computation with a digital signature (for example ECDSA P-256) or an HMAC over a fresh per-session random nonce, bound to a stable per-vehicle identifier to prevent cross-bike replay.

OpenCVE Recommended Actions

  • Deploy the vendor’s firmware update that replaces the weak non‑cryptographic response algorithm with a secure cryptographic challenge‑response, such as ECDSA P‑256 or HMAC over a fresh per‑session random nonce bound to a vehicle identifier
  • Implement network segmentation or firewall rules on the vehicle’s OBD/CAN interface to restrict the Wireless Control Module’s connectivity to the infotainment system, limiting the exposure to adjacent attackers
  • Configure the vehicle’s monitoring system to detect and alert on anomalous PIN authentication traffic or any unauthorized read attempts on the CAN bus, providing early warning of exploitation attempts

Generated by OpenCVE AI on May 29, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Indian Motorcycle
Indian Motorcycle scout Bobber + Tech
Vendors & Products Indian Motorcycle
Indian Motorcycle scout Bobber + Tech

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 29 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by passively observing a single PIN authentication exchange. The Infotainment Digital Round display computes its response using a non-cryptographic operation rather than a cryptographic challenge-response, so the PIN is mathematically derivable from one captured exchange, defeating the motorcycle's primary user-authentication control. Specific protocol details have been withheld pending vendor remediation.
Title Indian Scout Bobber 2025 Infotainment-to-WCM weak authentication allows recovery of user PIN from observed exchange
Weaknesses CWE-1390
CWE-294
CWE-327
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 4.1, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Indian Motorcycle Scout Bobber + Tech
cve-icon MITRE

Status: PUBLISHED

Assigner: ASRG

Published:

Updated: 2026-05-29T15:01:20.202Z

Reserved: 2026-05-29T07:26:43.199Z

Link: CVE-2026-49322

cve-icon Vulnrichment

Updated: 2026-05-29T15:01:16.680Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T08:16:19.060

Modified: 2026-05-29T15:16:24.487

Link: CVE-2026-49322

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:28Z

Weaknesses