Skip to main content

Scout Bobber Tech CVE-2026-49325

| EUVDEUVD-2026-33292 MEDIUM
Improper Handling of Physical or Environmental Conditions (CWE-1384)
2026-05-29 ASRG GHSA-c9x8-xp9p-g29g
4.1
CVSS 4.0 · Vendor: ASRG
Share

Severity by source

Vendor (ASRG) PRIMARY
4.1 MEDIUM
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (ASRG) · only source for this CVE.

CVSS VectorVendor: ASRG

CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
May 29, 2026 - 14:22 NVD
4.6 (MEDIUM) 4.1 (MEDIUM)
Analysis Generated
May 29, 2026 - 14:21 vuln.today

DescriptionCVE.org

Improper handling of physical conditions in the bike-shutdown control of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows a physical attacker with access to the Wireless Control Module (WCM) wiring harness to bypass the anti-theft shutdown. The WCM signals shutdown to a peer ECU via a falling-edge voltage transition on a dedicated wire pair. The receiving ECU does not distinguish between an active shutdown pulse and an open-circuit / disconnected condition; interrupting the relevant wires leaves the motorcycle fully operable even though the WCM never validated the rider's PIN. Specific connector details have been withheld pending vendor remediation.

AnalysisAI

Anti-theft bypass in the 2025 Indian Motorcycle Scout Bobber + Tech allows a physical attacker who can access the Wireless Control Module wiring harness to leave the motorcycle fully operable without ever supplying a valid rider PIN. The root flaw is a fail-open ECU design: the peer ECU cannot distinguish an authenticated WCM shutdown pulse from a simple open-circuit condition caused by disconnecting the relevant wire pair, so wire interruption silently suppresses the immobilizer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain physical access to motorcycle
Delivery
Remove body panels to expose WCM harness
Exploit
Disconnect or cut shutdown signal wire pair
Execution
ECU defaults to operational state
Impact
Start and ride motorcycle without PIN

Vulnerability AssessmentAI

Exploitation Exploitation requires direct, hands-on physical access to the 2025 Indian Motorcycle Scout Bobber + Tech's Wireless Control Module wiring harness - confirmed by CVSS AV:P. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.6 (Medium) score is appropriate and principally deflated by AV:P (physical attack vector), which mandates hands-on access to the wiring harness - eliminating all remote and network-based exploitation paths. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A thief approaches a parked 2025 Indian Motorcycle Scout Bobber + Tech, removes one or more body panels to expose the WCM wiring harness connector, and physically disconnects or cuts the dedicated shutdown signal wire pair - an action requiring basic hand tools and no electronic equipment. The receiving ECU, unable to distinguish this open-circuit condition from a valid operational state, releases the immobilizer and allows the engine to start and the motorcycle to be ridden away without any PIN entry. …
Remediation No vendor-released patch has been identified at time of analysis; Polaris Inc. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49325 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy