CVE Catalog

CVE-2026-49322

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.10%

1th percentile - higher than 1% of all known CVEs

Summary

A vulnerability in the Wireless Control Module (WCM) of the 2025 Indian Motorcycle Scout Bobber + Tech allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by passively observing a single PIN authentication exchange. The Infotainment Digital Round display computes its response using a non-cryptographic operation rather than a cryptographic challenge-response, so the PIN is mathematically derivable from one captured exchange, defeating the motorcycle's primary user-authentication control.

Risk Assessment

The risk is that an attacker can gain unauthorized access to the motorcycle by unlocking it without knowing the PIN, potentially leading to theft or manipulation of its systems.

Recommendation

It is recommended to immediately apply patches provided by the vendor once available and implement a stronger authentication mechanism based on cryptographic challenge-response.

Original NVD description (English source)

Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by passively observing a single PIN authentication exchange. The Infotainment Digital Round display computes its response using a non-cryptographic operation rather than a cryptographic challenge-response, so the PIN is mathematically derivable from one captured exchange, defeating the motorcycle's primary user-authentication control. Specific protocol details have been withheld pending vendor remediation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS