Severity by source
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (ASRG) · only source for this CVE.
CVSS VectorVendor: ASRG
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle's anti-theft shutdown by forcing the Wireless Control Module (WCM) into the CAN bus-off state. Using a well-known CAN error-frame injection technique against a periodic WCM transmission, the attacker drives the WCM CAN controller's transmit error counter past the bus-off threshold, after which the WCM stops transmitting all messages, including the shutdown command. Peer ECUs do not interpret WCM silence as a security event and continue normal operation, allowing the motorcycle to be operated despite the immobilizer never having been unlocked. Specific protocol details have been withheld pending vendor remediation.
AnalysisAI
CAN bus error-frame injection on the 2025 Indian Motorcycle Scout Bobber + Tech defeats the Wireless Control Module (WCM)-enforced immobilizer, enabling vehicle operation without legitimate anti-theft deactivation. An attacker within physical or adjacent proximity drives the WCM's CAN controller into bus-off state by incrementing its transmit error counter past the threshold, permanently silencing the WCM's periodic shutdown command. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be within physical proximity to the motorcycle sufficient to reach the OBD-II port or the WCM's wireless interface - the exact required distance is unconfirmed due to a conflict between the CVE description's 'adjacent-network' characterization and the CVSS AV:P vector (see risk assessment). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 4.1 (Medium) is driven by AV:P (Physical attack vector), which bounds exploitation to actors within direct or adjacent range of the vehicle, and AT:P (Attack Requirements: Present), indicating the WCM must be actively transmitting - its normal operating state - for the attack to proceed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker carrying a commodity USB-to-CAN adapter and a laptop approaches a parked 2025 Scout Bobber + Tech in a public space, accesses the CAN bus via the OBD-II diagnostic port or via the WCM wireless interface, and transmits malformed CAN error frames timed to collide with the WCM's periodic immobilizer-state broadcasts. Within seconds to minutes, the WCM's transmit error counter reaches 255 and the module enters bus-off, permanently silencing its shutdown command for the remainder of the power cycle. … |
| Remediation | No vendor-released patch has been identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Scout Bobber Tech
View allAnti-theft bypass in the 2025 Indian Motorcycle Scout Bobber + Tech allows a physical attacker who can access the Wirele
Permanent denial-of-service against the 2025 Indian Motorcycle Scout Bobber + Tech's Wireless Control Module (WCM) allow
Immobilizer bypass in the 2025 Indian Motorcycle Scout Bobber + Tech (Polaris Inc.) allows a physically adjacent attacke
The Wireless Control Module (WCM) in the 2025 Indian Motorcycle Scout Bobber + Tech exposes the user-set vehicle unlock
PIN screen authentication bypass in the 2025 Indian Motorcycle Scout Bobber + Tech Infotainment / Digital Round display
PIN entry bypass in the Indian Motorcycle Scout Bobber + Tech 2025 infotainment system allows an attacker with physical
Same weakness CWE-440 – Expected Behavior Violation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33293
GHSA-xpm6-xp6j-7w29