Severity by source
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (ASRG) · only source for this CVE.
CVSS VectorVendor: ASRG
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during its boot window as a proxy for whether an immobilizer is fitted; if no WCM messages are observed, it skips the PIN entry screen and shows the normal user interface. An attacker who silences the WCM during the boot window - for example via a separately tracked CAN bus-off technique - can present a fully unlocked Infotainment despite the PIN never being entered. Specific timing and protocol details have been withheld pending vendor remediation.
AnalysisAI
PIN screen authentication bypass in the 2025 Indian Motorcycle Scout Bobber + Tech Infotainment / Digital Round display allows a physically proximate attacker to reach the fully unlocked user interface without entering a PIN. The system's boot-sequence logic (CWE-696) uses the mere presence of Wireless Control Module (WCM) CAN bus traffic as a proxy for immobilizer-fitment, and silently drops the PIN gate when no WCM messages appear - a condition an attacker can manufacture by suppressing the WCM via a CAN bus-off technique during the boot window. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires physical or near-physical access to the vehicle's CAN bus network, most practically via the OBD-II diagnostic port, to execute a CAN bus-off fault injection attack against the Wireless Control Module. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 2.4 (Low) accurately reflects the genuine real-world risk ceiling. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with physical access to a parked 2025 Scout Bobber + Tech connects a commodity CAN bus interface (e.g., USB-CAN adapter) to the OBD-II port and transmits a CAN bus-off fault sequence targeting the Wireless Control Module before the rider powers on the infotainment. When the rider initiates boot, the infotainment observes no WCM traffic during its detection window, concludes no immobilizer is present, and bypasses the PIN screen - presenting the full unlocked infotainment UI. … |
| Remediation | No vendor-released patch has been identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Scout Bobber Tech
View allCAN bus error-frame injection on the 2025 Indian Motorcycle Scout Bobber + Tech defeats the Wireless Control Module (WCM
Anti-theft bypass in the 2025 Indian Motorcycle Scout Bobber + Tech allows a physical attacker who can access the Wirele
Permanent denial-of-service against the 2025 Indian Motorcycle Scout Bobber + Tech's Wireless Control Module (WCM) allow
Immobilizer bypass in the 2025 Indian Motorcycle Scout Bobber + Tech (Polaris Inc.) allows a physically adjacent attacke
The Wireless Control Module (WCM) in the 2025 Indian Motorcycle Scout Bobber + Tech exposes the user-set vehicle unlock
PIN entry bypass in the Indian Motorcycle Scout Bobber + Tech 2025 infotainment system allows an attacker with physical
Same weakness CWE-696 – Incorrect Behavior Order
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33313
GHSA-mv66-48p3-pfm6