CVE-2026-49323
Indian Scout Bobber 2025 WCM-to-ECM weak authentication
Weak authentication between the Wireless Control Module (WCM) and the Engine Control Module (ECM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the per-vehicle ECM immobilizer secret by passively observing a single seed/key exchange. The WCM derives its response using a reversible, non-cryptographic operation rather than a cryptographic challenge-response, so the persistent immobilizer secret can be reconstructed from one captured exchange. With this secret the attacker can authenticate to the ECM independently of the WCM and start the engine, defeating the immobilizer. Specific protocol details have been withheld pending vendor remediation.
| CWE | CWE-1390 CWE-327 CWE-798 |
| Vendor | indian motorcycle (polaris inc.) |
| Product | scout bobber + tech |
| Published | May 29, 2026 |
| Last Updated | May 29, 2026 |
Get instant alerts for indian motorcycle (polaris inc.) scout bobber + tech
Be the first to know when new medium vulnerabilities affecting indian motorcycle (polaris inc.) scout bobber + tech are published โ delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N