Description
Uncontrolled resource consumption in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with write access to the in-vehicle network to permanently immobilize the motorcycle. The WCM enforces a brute-force lockout on the immobilizer authentication algorithm, but the lockout counter is reachable by any unauthenticated message, has no session binding, and does not reset on power cycle. An attacker can deliberately trip the lockout with a small number of crafted frames, leaving the bike un-startable until dealer service. Specific thresholds have been withheld pending vendor remediation.
Published: 2026-05-29
Score: 4.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw arises from an uncontrolled resource consumption in the Wireless Control Module of the Scout Bobber + Tech 2025. An attacker can manipulate the brute‑force lockout counter, which is accessible via unauthenticated in‑vehicle messages, lacks a session binding, and never resets when the motorcycle powers off. By sending a few crafted frames the counter can be tripped, forcing the immobilizer to lock permanently unless dealer service restores it. This exploits weaknesses of access control, inadequate input validation and a lack of resource limits.

Affected Systems

Indian Motorcycle (Polaris Inc.) Scout Bobber + Tech 2025 model year vehicles are affected. The vulnerability resides in the vehicle’s WCM firmware and is only present in the 2025 model year series.

Risk and Exploitability

The CVSS score of 4.1 indicates a moderate severity. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. The likely attack vector is an adjacent‑network attacker who can inject write‑capable frames into the in‑vehicle network, which typically requires physical proximity or a compromised nearby device. If such access is achieved, the attacker can easily move the lockout counter and permanently disable the vehicle's starting capability. The absence of a reset on power cycle increases the persistence of the effect, making the exploit a serious operational risk for owners.

Generated by OpenCVE AI on May 29, 2026 at 13:21 UTC.

Remediation

Vendor Solution

Bind the brute-force counter to an authorized WCM↔ECM session token, rate-limit on a sliding window, and provide an owner-recoverable unlock path (e.g., PIN re-entry at the Digital Round) instead of dealer-only recovery.

OpenCVE Recommended Actions

  • Deploy the vendor’s firmware update that binds the brute‑force counter to an authenticated WCM↔ECM session token and introduces sliding‑window rate limiting
  • Enable the owner‑recoverable unlock path, such as a PIN re‑entry at the Digital Round, to allow owners to recover without dealer service
  • Verify that the lockout counter resets after a vehicle power cycle, ensuring the fix restores normal operational state

Generated by OpenCVE AI on May 29, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Indian Motorcycle
Indian Motorcycle scout Bobber + Tech
Vendors & Products Indian Motorcycle
Indian Motorcycle scout Bobber + Tech

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
References

Fri, 29 May 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 29 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description Uncontrolled resource consumption in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with write access to the in-vehicle network to permanently immobilize the motorcycle. The WCM enforces a brute-force lockout on the immobilizer authentication algorithm, but the lockout counter is reachable by any unauthenticated message, has no session binding, and does not reset on power cycle. An attacker can deliberately trip the lockout with a small number of crafted frames, leaving the bike un-startable until dealer service. Specific thresholds have been withheld pending vendor remediation.
Title Indian Scout Bobber 2025 WCM brute-force
Weaknesses CWE-307
CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 4.1, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Indian Motorcycle Scout Bobber + Tech
cve-icon MITRE

Status: PUBLISHED

Assigner: ASRG

Published:

Updated: 2026-05-29T13:48:34.382Z

Reserved: 2026-05-29T07:26:43.199Z

Link: CVE-2026-49324

cve-icon Vulnrichment

Updated: 2026-05-29T13:29:15.971Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T13:16:23.557

Modified: 2026-05-29T15:16:24.753

Link: CVE-2026-49324

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:46:38Z

Weaknesses