CVE Catalog

CVE-2026-49325

MediumCVSS 4.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

6th percentile - higher than 6% of all known CVEs

Summary

A vulnerability in the Indian Motorcycle Scout Bobber + Tech (2025 model year) allows a physical attacker with access to the Wireless Control Module (WCM) wiring harness to bypass the anti-theft shutdown. The WCM signals shutdown to a peer ECU via a falling-edge voltage transition on a dedicated wire pair, but the receiving ECU does not distinguish between an active shutdown pulse and an open-circuit/disconnected condition. Interrupting the relevant wires leaves the motorcycle fully operable even though the WCM never validated the rider's PIN.

Risk Assessment

The risk is that the motorcycle can be stolen without knowledge of the PIN, as an attacker can physically interrupt the signal wires, preventing the anti-theft system from disabling the vehicle. The vulnerability requires physical access to the wiring harness but does not require advanced technical skills.

Recommendation

It is recommended to immediately apply vendor patches once available and consider physically securing the WCM wiring harness against unauthorized access. Until a fix is released, monitor vendor communications and avoid leaving the motorcycle unattended in public places.

Original NVD description (English source)

Improper handling of physical conditions in the bike-shutdown control of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows a physical attacker with access to the Wireless Control Module (WCM) wiring harness to bypass the anti-theft shutdown. The WCM signals shutdown to a peer ECU via a falling-edge voltage transition on a dedicated wire pair. The receiving ECU does not distinguish between an active shutdown pulse and an open-circuit / disconnected condition; interrupting the relevant wires leaves the motorcycle fully operable even though the WCM never validated the rider's PIN. Specific connector details have been withheld pending vendor remediation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS