PatchSiren cyber security CVE debrief
CVE-2026-49316 Indian Motorcycle (Polaris Inc.) CVE debrief
A medium-severity vulnerability in the 2025 Indian Motorcycle Scout Bobber + Tech allows adjacent-network attackers to bypass the anti-theft immobilizer by forcing the Wireless Control Module (WCM) into a CAN bus-off state. The attack exploits standard CAN error-frame injection against periodic WCM transmissions, driving the controller's transmit error counter past the bus-off threshold (typically 255 per ISO 11898-1). Once bus-off is triggered, the WCM ceases all CAN transmissions, including the shutdown command that would normally immobilize the motorcycle. Peer ECUs on the network do not treat WCM silence as a security anomaly and continue normal operation, permitting vehicle operation without proper immobilizer unlock. The vulnerability reflects an expected behavior violation (CWE-440) where the system fails to detect or respond to the absence of critical security messages. The CVSS 4.0 vector indicates physical attack vector (AV:P), low attack complexity (AC:L), and high availability impact (VA:H) to the immobilizer function. Specific protocol details have been withheld pending vendor remediation.
- Vendor
- Indian Motorcycle (Polaris Inc.)
- Product
- Scout Bobber + Tech
- CVSS
- MEDIUM 4.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Owners and fleet operators of 2025 Indian Motorcycle Scout Bobber + Tech motorcycles; automotive security researchers; motorcycle dealership service departments; insurance providers covering motorcycle theft; physical security professionals assessing vehicle access controls
Technical summary
The vulnerability exists in the CAN network implementation of the 2025 Indian Motorcycle Scout Bobber + Tech. The Wireless Control Module (WCM), responsible for anti-theft immobilizer commands, can be forced into bus-off state through standard CAN error frame injection. When a CAN controller's transmit error counter exceeds 255, it enters bus-off and stops transmitting. The motorcycle's peer ECUs lack security logic to detect WCM silence as an anomaly, allowing continued operation without immobilizer unlock. This represents a failure to protect alternate paths (CWE-440) and missing protection mechanism (CWE-693) for critical security state transitions.
Defensive priority
medium
Recommended defensive actions
- Monitor for CAN bus error frame anomalies on Indian Motorcycle Scout Bobber + Tech 2025 models, particularly sudden increases in error counters on WCM node
- Implement CAN bus anomaly detection that treats unexpected ECU silence as a security event requiring failsafe immobilizer activation
- Review ECU firmware for missing bus-off recovery detection and implement heartbeat/timeout monitoring for critical security modules like WCM
- Contact Indian Motorcycle dealer or manufacturer for pending security updates and remediation timeline
- Consider physical security controls to limit adjacent-network attacker access to OBD-II or diagnostic ports
- resourceLinkAnnotations: [cve-org, nvd]
Evidence notes
CVE description confirms CAN bus-off attack against WCM; CVSS 4.0 vector AV:P/AC:L/AT:P/VA:H; CWE-440 (Expected Behavior Violation) cited as primary weakness; NVD status 'Deferred' indicates pending analysis; no KEV listing or known exploitation in ransomware campaigns
Official resources
-
CVE-2026-49316 CVE record
CVE.org
-
CVE-2026-49316 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29