CVE-2026-49325
MediumCVSS 4.6Exploitation Probability (EPSS)
Low risk6th percentile - higher than 6% of all known CVEs
Summary
A vulnerability in the Indian Motorcycle Scout Bobber + Tech (2025 model year) allows a physical attacker with access to the Wireless Control Module (WCM) wiring harness to bypass the anti-theft shutdown. The WCM signals shutdown to a peer ECU via a falling-edge voltage transition on a dedicated wire pair, but the receiving ECU does not distinguish between an active shutdown pulse and an open-circuit/disconnected condition. Interrupting the relevant wires leaves the motorcycle fully operable even though the WCM never validated the rider's PIN.
Risk Assessment
The risk is that the motorcycle can be stolen without knowledge of the PIN, as an attacker can physically interrupt the signal wires, preventing the anti-theft system from disabling the vehicle. The vulnerability requires physical access to the wiring harness but does not require advanced technical skills.
Recommendation
It is recommended to immediately apply vendor patches once available and consider physically securing the WCM wiring harness against unauthorized access. Until a fix is released, monitor vendor communications and avoid leaving the motorcycle unattended in public places.
Original NVD description (English source)
Improper handling of physical conditions in the bike-shutdown control of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows a physical attacker with access to the Wireless Control Module (WCM) wiring harness to bypass the anti-theft shutdown. The WCM signals shutdown to a peer ECU via a falling-edge voltage transition on a dedicated wire pair. The receiving ECU does not distinguish between an active shutdown pulse and an open-circuit / disconnected condition; interrupting the relevant wires leaves the motorcycle fully operable even though the WCM never validated the rider's PIN. Specific connector details have been withheld pending vendor remediation.

