CVE Catalog

CVE-2026-49316

MediumCVSS 4.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile - higher than 8% of all known CVEs

Summary

A vulnerability in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech (2025 model) allows an adjacent-network attacker to bypass the anti-theft shutdown by forcing the WCM into CAN bus-off state. Using CAN error-frame injection, the attacker stops all WCM transmissions, including the shutdown command. Peer ECUs do not treat WCM silence as a security event and continue normal operation, enabling motorcycle operation without immobilizer unlock.

Risk Assessment

The risk is theft of the motorcycle by an attacker within CAN network range, without physical access to the key or immobilizer. The attack can be performed remotely from a nearby vehicle or device.

Recommendation

Immediately apply vendor-provided patches and implement mechanisms to detect and prevent CAN bus-off attacks, such as monitoring transmission error counters and implementing timeouts for critical messages.

Original NVD description (English source)

Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle's anti-theft shutdown by forcing the Wireless Control Module (WCM) into the CAN bus-off state. Using a well-known CAN error-frame injection technique against a periodic WCM transmission, the attacker drives the WCM CAN controller's transmit error counter past the bus-off threshold, after which the WCM stops transmitting all messages, including the shutdown command. Peer ECUs do not interpret WCM silence as a security event and continue normal operation, allowing the motorcycle to be operated despite the immobilizer never having been unlocked. Specific protocol details have been withheld pending vendor remediation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS