Description
Improper handling of physical conditions in the bike-shutdown control of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows a physical attacker with access to the Wireless Control Module (WCM) wiring harness to bypass the anti-theft shutdown. The WCM signals shutdown to a peer ECU via a falling-edge voltage transition on a dedicated wire pair. The receiving ECU does not distinguish between an active shutdown pulse and an open-circuit / disconnected condition; interrupting the relevant wires leaves the motorcycle fully operable even though the WCM never validated the rider's PIN. Specific connector details have been withheld pending vendor remediation.
Published: 2026-05-29
Score: 4.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The fault is in the way the bike’s shutdown circuitry processes a physical signal from the Wireless Control Module (WCM). The WCM normally signals a shutdown by sending a falling‑edge voltage on a dedicated wire pair. The ECU that receives this signal treats a missing pulse the same way it treats an active shutdown pulse, so an open circuit or disconnected cable is interpreted as a legitimate shutdown command. Because no PIN or authentication is checked when the shutdown signal reaches the ECU, a physical attacker can simply cut or disconnect the WCM wiring harness and keep the motorcycle operating, effectively disabling the anti‑theft feature. This flaw constitutes a loss of an integrity‑controlled security function and allows a physically present attacker to steal or tamper with the vehicle. The weakness maps to CWE‑1384 (Faulty Cancellation of an Anti‑Theft Control), CWE‑693 (Improper Management of Key Material), and CWE‑754 (Improper Restriction of Memory Access).

Affected Systems

Indian Motorcycle (Polaris Inc.) Scout Bobber + Tech 2025 model year. No other vendors or product variants are listed as affected, and the specific connector details are currently withheld pending vendor remediation.

Risk and Exploitability

The CVSS score of 4.1 indicates moderate severity, but the exploitability vector is narrow: an attacker must physically access and disturb the WCM wiring harness. There is no evidence of remote code execution or software‑only attacks; the attack requires direct manipulation of the vehicle’s hardware. Because EPSS data is unavailable and the vulnerability is not catalogued in CISA’s KEV list, the perceived likelihood of widespread exploitation is low. Nonetheless, any entity that could be targeted for theft should treat this flaw as a risk that can be mitigated once the vendor’s fix is applied, especially in environments where the motorcycle is used regularly without frequently cycling the anti‑theft system.

Generated by OpenCVE AI on May 29, 2026 at 15:45 UTC.

Remediation

Vendor Solution

Use a positive-validation heartbeat: the receiving ECU should require a periodic rising-edge or signed message from the WCM and treat its absence as the shutdown command (fail-secure). Combine with CAN-A liveness validation. Add tamper-evident sealing on the WCM connector.

OpenCVE Recommended Actions

  • Upgrade the vehicle’s firmware to implement a positive‑validation heartbeat requiring a periodic rising‑edge or signed message from the WCM and treating the absence of such a message as a shutdown command; enable CAN‑A liveness validation to detect any loss of connectivity.
  • Add tamper‑evident sealing on the WCM connector to expose any physical tampering or disconnection attempts.
  • Verify that the ECU firmware checks for a transitioning shutdown pulse and rejects an open‑circuit condition, ensuring that mere disconnection cannot trigger an operational state.

Generated by OpenCVE AI on May 29, 2026 at 15:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Indian Motorcycle
Indian Motorcycle scout Bobber + Tech
Vendors & Products Indian Motorcycle
Indian Motorcycle scout Bobber + Tech

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Improper handling of physical conditions in the bike-shutdown control of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows a physical attacker with access to the Wireless Control Module (WCM) wiring harness to bypass the anti-theft shutdown. The WCM signals shutdown to a peer ECU via a falling-edge voltage transition on a dedicated wire pair. The receiving ECU does not distinguish between an active shutdown pulse and an open-circuit / disconnected condition; interrupting the relevant wires leaves the motorcycle fully operable even though the WCM never validated the rider's PIN. Specific connector details have been withheld pending vendor remediation.
Title Indian Scout Bobber 2025 WCM voltage-based shutdown
Weaknesses CWE-1384
CWE-693
CWE-754
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 4.1, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Indian Motorcycle Scout Bobber + Tech
cve-icon MITRE

Status: PUBLISHED

Assigner: ASRG

Published:

Updated: 2026-05-29T15:27:16.405Z

Reserved: 2026-05-29T07:26:43.199Z

Link: CVE-2026-49325

cve-icon Vulnrichment

Updated: 2026-05-29T15:27:13.644Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T14:16:33.067

Modified: 2026-05-29T15:11:03.853

Link: CVE-2026-49325

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T16:00:15Z

Weaknesses