Severity by source
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (ASRG) · only source for this CVE.
CVSS VectorVendor: ASRG
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during its boot window as a proxy for whether an immobilizer is fitted; if no WCM messages are observed, it skips the PIN entry screen and shows the normal user interface. An attacker who silences the WCM during the boot window - for example via a separately tracked CAN bus-off technique - can present a fully unlocked Infotainment despite the PIN never being entered. Specific timing and protocol details have been withheld pending vendor remediation.
AnalysisAI
PIN entry bypass in the Indian Motorcycle Scout Bobber + Tech 2025 infotainment system allows an attacker with physical proximity to the vehicle to access the fully unlocked infotainment interface without entering the correct PIN. The root cause (CWE-696, Incorrect Behavior Order) is that the system treats the presence of Wireless Control Module (WCM) CAN bus traffic during its startup boot window as a proxy for immobilizer detection, and skips PIN enforcement entirely when no WCM messages are observed - a condition an attacker can manufacture by silencing the WCM. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires physical access to the motorcycle's CAN bus (e.g., via the OBD/diagnostic port or a direct bus tap) during a specific startup boot window - the duration and exact timing of this window have been withheld by ASRG pending vendor remediation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 2.4 (Low) reflects significant physical constraints: AV:P (Physical access required), AC:L (Low attack complexity), PR:N (no privileges required), UI:N (no user interaction needed), with impact limited to C:L (Low confidentiality) and no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to the motorcycle's CAN bus - obtained via the OBD diagnostic port or a direct bus tap - initiates a CAN bus-off attack targeting the Wireless Control Module during the infotainment's startup boot window, suppressing all WCM messages. The infotainment interprets the absence of WCM traffic as evidence that no immobilizer is fitted and skips the PIN entry screen, presenting the fully unlocked user interface. … |
| Remediation | No vendor-released patch has been identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Scout Bobber Tech
View allCAN bus error-frame injection on the 2025 Indian Motorcycle Scout Bobber + Tech defeats the Wireless Control Module (WCM
Anti-theft bypass in the 2025 Indian Motorcycle Scout Bobber + Tech allows a physical attacker who can access the Wirele
Permanent denial-of-service against the 2025 Indian Motorcycle Scout Bobber + Tech's Wireless Control Module (WCM) allow
Immobilizer bypass in the 2025 Indian Motorcycle Scout Bobber + Tech (Polaris Inc.) allows a physically adjacent attacke
The Wireless Control Module (WCM) in the 2025 Indian Motorcycle Scout Bobber + Tech exposes the user-set vehicle unlock
PIN screen authentication bypass in the 2025 Indian Motorcycle Scout Bobber + Tech Infotainment / Digital Round display
Same weakness CWE-696 – Incorrect Behavior Order
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33296
GHSA-x7xq-w72j-v4qx