Description
Weak authentication between the Wireless Control Module (WCM) and the Engine Control Module (ECM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the per-vehicle ECM immobilizer secret by passively observing a single seed/key exchange. The WCM derives its response using a reversible, non-cryptographic operation rather than a cryptographic challenge-response, so the persistent immobilizer secret can be reconstructed from one captured exchange. With this secret the attacker can authenticate to the ECM independently of the WCM and start the engine, defeating the immobilizer. Specific protocol details have been withheld pending vendor remediation.
Published: 2026-05-29
Score: 4.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Weak authentication between the Wireless Control Module and the Engine Control Module of the Indian Motorcycle Scout Bobber + Tech 2025 model allows an adjacent‑network attacker who can read the in‑vehicle bus to capture a single seed/key exchange. The WCM uses a reversible, non‑cryptographic operation to generate its response, enabling an attacker to reconstruct the persistent immobilizer secret from one captured message and then manually authenticate to the ECM, thereby starting the engine and bypassing the immobilizer.

Affected Systems

The vulnerability affects the 2025 Scout Bobber + Tech produced by Indian Motorcycle, a subsidiary of Polaris Inc. It involves the Wireless Control Module and the Engine Control Module that communicate over the vehicle’s internal network.

Risk and Exploitability

The CVSS score of 4.1 indicates moderate severity. No EPSS score is available and the vulnerability is not included in CISA’s KEV catalog. The likely attack vector is an attacker with read access to the vehicle’s internal network, which is typically possible when the vehicle is in proximity to other vehicles or infrastructure that can tap the bus. With such access the attacker can passively observe a single exchange and recover the immobilizer secret, after which they can impersonate the legitimate control module and start the engine.

Generated by OpenCVE AI on May 29, 2026 at 13:22 UTC.

Remediation

Vendor Solution

Replace the non-cryptographic authentication response with HMAC-SHA-256 or ECDSA over a fresh nonce, ECU identifier, and session counter; provision per-vehicle symmetric keys in tamper-resistant secure elements on both authenticating modules.

OpenCVE Recommended Actions

  • Replace the current non‑cryptographic authentication with a cryptographic challenge‑response using HMAC‑SHA‑256 or ECDSA over a fresh nonce, ECU identifier, and session counter.
  • Provision unique per‑vehicle symmetric keys in tamper‑resistant secure elements on both the WCM and ECM.
  • Deploy the updated firmware containing these changes to all affected Scout Bobber + Tech 2025 vehicles and validate that the immobilizer cannot be bypassed in integration testing.

Generated by OpenCVE AI on May 29, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Indian Motorcycle
Indian Motorcycle scout Bobber + Tech
Vendors & Products Indian Motorcycle
Indian Motorcycle scout Bobber + Tech

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
References

Fri, 29 May 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 29 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description Weak authentication between the Wireless Control Module (WCM) and the Engine Control Module (ECM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the per-vehicle ECM immobilizer secret by passively observing a single seed/key exchange. The WCM derives its response using a reversible, non-cryptographic operation rather than a cryptographic challenge-response, so the persistent immobilizer secret can be reconstructed from one captured exchange. With this secret the attacker can authenticate to the ECM independently of the WCM and start the engine, defeating the immobilizer. Specific protocol details have been withheld pending vendor remediation.
Title Indian Scout Bobber 2025 WCM-to-ECM weak authentication
Weaknesses CWE-1390
CWE-327
CWE-798
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 4.1, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Indian Motorcycle Scout Bobber + Tech
cve-icon MITRE

Status: PUBLISHED

Assigner: ASRG

Published:

Updated: 2026-05-29T13:44:56.770Z

Reserved: 2026-05-29T07:26:43.199Z

Link: CVE-2026-49323

cve-icon Vulnrichment

Updated: 2026-05-29T13:31:14.323Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T13:16:23.407

Modified: 2026-05-29T15:16:24.630

Link: CVE-2026-49323

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:46:40Z

Weaknesses