Severity by source
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (ASRG) · only source for this CVE.
CVSS VectorVendor: ASRG
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Uncontrolled resource consumption in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with write access to the in-vehicle network to permanently immobilize the motorcycle. The WCM enforces a brute-force lockout on the immobilizer authentication algorithm, but the lockout counter is reachable by any unauthenticated message, has no session binding, and does not reset on power cycle. An attacker can deliberately trip the lockout with a small number of crafted frames, leaving the bike un-startable until dealer service. Specific thresholds have been withheld pending vendor remediation.
AnalysisAI
Permanent denial-of-service against the 2025 Indian Motorcycle Scout Bobber + Tech's Wireless Control Module (WCM) allows an adjacent-network attacker with write access to the in-vehicle network to irreversibly immobilize the motorcycle by deliberately tripping an immobilizer lockout counter that persists across power cycles. The WCM's lockout counter accepts increments from any unauthenticated message without session binding, meaning a small number of crafted in-vehicle network frames is sufficient to trigger a permanent lockout condition requiring dealer intervention to resolve. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Physical adjacency to the target motorcycle is required along with write access to the in-vehicle network bus, consistent with the CVSS:3.1 AV:P designation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.6 (Medium) reflects the physical access requirement encoded in the vector (AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with physical proximity to the target motorcycle - for example, a valet, mechanic, or someone with brief unattended access - connects to the in-vehicle network via the OBD-II diagnostic port and transmits a small number of crafted unauthenticated frames targeting the WCM lockout counter. Because the counter increments on any qualifying unauthenticated message and does not reset on power cycle, the motorcycle's immobilizer enters a permanent lockout state after the threshold is crossed, rendering the vehicle un-startable until the owner transports it to a dealer for service. … |
| Remediation | No vendor-released patch has been identified at time of analysis; the CVE description explicitly states that specific lockout thresholds have been withheld pending vendor remediation, indicating Polaris Inc. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Scout Bobber Tech
View allCAN bus error-frame injection on the 2025 Indian Motorcycle Scout Bobber + Tech defeats the Wireless Control Module (WCM
Anti-theft bypass in the 2025 Indian Motorcycle Scout Bobber + Tech allows a physical attacker who can access the Wirele
Immobilizer bypass in the 2025 Indian Motorcycle Scout Bobber + Tech (Polaris Inc.) allows a physically adjacent attacke
The Wireless Control Module (WCM) in the 2025 Indian Motorcycle Scout Bobber + Tech exposes the user-set vehicle unlock
PIN screen authentication bypass in the 2025 Indian Motorcycle Scout Bobber + Tech Infotainment / Digital Round display
PIN entry bypass in the Indian Motorcycle Scout Bobber + Tech 2025 infotainment system allows an attacker with physical
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33289
GHSA-6x8x-4qf6-w7qg