Skip to main content

Scout Bobber + Tech EUVDEUVD-2026-33289

| CVE-2026-49324 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-29 ASRG GHSA-6x8x-4qf6-w7qg
4.1
CVSS 4.0 · Vendor: ASRG
Share

Severity by source

Vendor (ASRG) PRIMARY
4.1 MEDIUM
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (ASRG) · only source for this CVE.

CVSS VectorVendor: ASRG

CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
May 29, 2026 - 13:22 NVD
4.6 (MEDIUM) 4.1 (MEDIUM)
Analysis Generated
May 29, 2026 - 13:21 vuln.today

DescriptionCVE.org

Uncontrolled resource consumption in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with write access to the in-vehicle network to permanently immobilize the motorcycle. The WCM enforces a brute-force lockout on the immobilizer authentication algorithm, but the lockout counter is reachable by any unauthenticated message, has no session binding, and does not reset on power cycle. An attacker can deliberately trip the lockout with a small number of crafted frames, leaving the bike un-startable until dealer service. Specific thresholds have been withheld pending vendor remediation.

AnalysisAI

Permanent denial-of-service against the 2025 Indian Motorcycle Scout Bobber + Tech's Wireless Control Module (WCM) allows an adjacent-network attacker with write access to the in-vehicle network to irreversibly immobilize the motorcycle by deliberately tripping an immobilizer lockout counter that persists across power cycles. The WCM's lockout counter accepts increments from any unauthenticated message without session binding, meaning a small number of crafted in-vehicle network frames is sufficient to trigger a permanent lockout condition requiring dealer intervention to resolve. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain physical proximity to target motorcycle
Delivery
Connect to in-vehicle network via OBD-II or diagnostic port
Exploit
Craft unauthenticated frames targeting WCM lockout counter
Execution
Transmit frames to increment counter beyond lockout threshold
Persist
Counter persists across power cycles
Impact
Immobilizer permanently locked, motorcycle un-startable

Vulnerability AssessmentAI

Exploitation Physical adjacency to the target motorcycle is required along with write access to the in-vehicle network bus, consistent with the CVSS:3.1 AV:P designation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.6 (Medium) reflects the physical access requirement encoded in the vector (AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with physical proximity to the target motorcycle - for example, a valet, mechanic, or someone with brief unattended access - connects to the in-vehicle network via the OBD-II diagnostic port and transmits a small number of crafted unauthenticated frames targeting the WCM lockout counter. Because the counter increments on any qualifying unauthenticated message and does not reset on power cycle, the motorcycle's immobilizer enters a permanent lockout state after the threshold is crossed, rendering the vehicle un-startable until the owner transports it to a dealer for service. …
Remediation No vendor-released patch has been identified at time of analysis; the CVE description explicitly states that specific lockout thresholds have been withheld pending vendor remediation, indicating Polaris Inc. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-33289 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy