Skip to main content

Scout Bobber + Tech EUVDEUVD-2026-33257

| CVE-2026-49322 MEDIUM
Weak Authentication (CWE-1390)
2026-05-29 ASRG GHSA-cgpm-v8px-pmw8
4.1
CVSS 4.0 · Vendor: ASRG
Share

Severity by source

Vendor (ASRG) PRIMARY
4.1 MEDIUM
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (ASRG) · only source for this CVE.

CVSS VectorVendor: ASRG

CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
CVSS changed
May 29, 2026 - 08:22 NVD
4.3 (MEDIUM) 4.1 (MEDIUM)
Analysis Generated
May 29, 2026 - 08:16 vuln.today

DescriptionCVE.org

Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by passively observing a single PIN authentication exchange. The Infotainment Digital Round display computes its response using a non-cryptographic operation rather than a cryptographic challenge-response, so the PIN is mathematically derivable from one captured exchange, defeating the motorcycle's primary user-authentication control. Specific protocol details have been withheld pending vendor remediation.

AnalysisAI

The Wireless Control Module (WCM) in the 2025 Indian Motorcycle Scout Bobber + Tech exposes the user-set vehicle unlock PIN through a fatally weak authentication design in the Infotainment Digital Round display. The display's PIN verification relies on a non-cryptographic computation, meaning a passive observer who captures a single complete authentication exchange from the in-vehicle network can mathematically recover the exact PIN - no brute-force or active interaction required. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain proximity to target motorcycle
Delivery
Passively capture single PIN authentication exchange
Exploit
Derive PIN mathematically from captured exchange
Execution
Authenticate to WCM with recovered PIN
Impact
Unlock and access motorcycle

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to be within wireless range of the target 2025 Indian Motorcycle Scout Bobber + Tech - the description specifies 'adjacent-network' access (note: the CVSS vector assigns AV:P/Physical, which may understate reach; verify with vendor). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.3 (Medium) score reflects meaningful attack constraints: AV:P (Physical), AC:L, PR:N, UI:R, C:H/I:N/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker positions themselves within Bluetooth or in-vehicle wireless range of a parked 2025 Scout Bobber + Tech and runs a passive radio capture tool. When the legitimate owner authenticates with their PIN on the Infotainment Digital Round display - for example, to unlock the motorcycle after a stop - the attacker's tool records the single authentication exchange. …
Remediation No vendor-released patch has been identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-33257 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy