PatchSiren cyber security CVE debrief
CVE-2026-49317 Indian Motorcycle (Polaris Inc.) CVE debrief
A logic flaw in the Indian Motorcycle Scout Bobber + Tech 2025 infotainment system allows an adjacent-network attacker to bypass PIN authentication by suppressing Wireless Control Module (WCM) traffic during the boot window. The system incorrectly uses WCM message presence as a proxy for immobilizer status; absence of WCM traffic causes the PIN entry screen to be skipped entirely, presenting an unlocked interface without credential verification. The attack requires physical proximity and precise timing to silence WCM communications during system initialization. Specific technical details remain withheld pending vendor remediation.
- Vendor
- Indian Motorcycle (Polaris Inc.)
- Product
- Scout Bobber + Tech
- CVSS
- LOW 1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Fleet operators with Indian Motorcycle Scout Bobber + Tech 2025 vehicles; motorcycle rental and sharing services; physical security teams responsible for vehicle access controls; automotive security researchers tracking infotainment system vulnerabilities; authorized Indian Motorcycle service centers managing firmware updates
Technical summary
The vulnerability stems from an incorrect behavior order (CWE-696) in the infotainment boot sequence. The system evaluates Wireless Control Module (WCM) traffic presence to determine whether an immobilizer is fitted, using this as a conditional gate for PIN entry screen display. When no WCM messages are detected during the boot window, the system proceeds directly to the normal user interface without PIN verification. This creates a fail-open condition (CWE-636) where suppression of expected communication—achievable through CAN bus-off techniques—results in unauthorized access. The attack requires adjacent-network positioning and precise timing alignment with the infotainment boot process. The CVSS 4.0 physical attack vector (AV:P) and partial timing (AT:P) reflect these constraints. Specific protocol details and timing parameters are withheld pending vendor remediation.
Defensive priority
LOW
Recommended defensive actions
- Verify whether Indian Motorcycle Scout Bobber + Tech 2025 units in your fleet have the affected infotainment system and assess exposure based on physical access controls
- Monitor for vendor security bulletins or firmware updates from Indian Motorcycle addressing this authentication bypass
- Implement physical security controls to prevent unauthorized proximity access to vehicle CAN bus and infotainment systems during startup
- Review and strengthen access controls for maintenance and service environments where adjacent-network attacks could be staged
- Coordinate with Indian Motorcycle authorized service centers to obtain remediation timeline and patch availability
- Document this vulnerability in vehicle security risk assessments pending vendor-provided mitigation guidance
Evidence notes
Official CVE record published 2026-05-29T14:16:32.630Z; modified 2026-05-29T15:11:03.853Z. CVSS 4.0 vector indicates physical attack vector (AV:P), low attack complexity (AC:L), and partial timing requirement (AT:P). CWE-696 (Incorrect Behavior Order), CWE-636 (Not Failing Securely), and CWE-754 (Improper Check for Unusual or Exceptional Conditions) identified as related weaknesses. VulnStatus: Deferred.
Official resources
-
CVE-2026-49317 CVE record
CVE.org
-
CVE-2026-49317 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29