CVE-2026-49322 Indian Motorcycle (Polaris Inc.) CVE debrief

Who should care

Owners and operators of affected Indian Motorcycle Scout Bobber + Tech 2025 vehicles; fleet managers; automotive security researchers; physical security teams responsible for motorcycle storage and access control; incident response teams tracking connected vehicle threats

Technical summary

The Wireless Control Module (WCM) in the Indian Motorcycle Scout Bobber + Tech 2025 model year implements PIN authentication using a non-cryptographic response computation. An attacker with read access to the in-vehicle network can capture a single PIN authentication exchange between the Infotainment Digital Round display and the WCM, then mathematically derive the user-set unlock PIN from the observed values. This constitutes a passive, adjacent-network authentication bypass against the motorcycle's primary user-authentication control. Specific protocol details are withheld pending vendor remediation.

Defensive priority

medium

Recommended defensive actions

• Restrict physical and network-layer access to the in-vehicle network to trusted personnel only
• Monitor for unauthorized diagnostic or network access tools connected to the motorcycle's communication buses
• Apply vendor firmware or software updates for the Wireless Control Module and Infotainment Digital Round display when available
• Consider additional physical security controls (e.g., secure parking, tamper-evident hardware) to reduce adjacent-network attack opportunities
• Review and update threat models for connected vehicle assets to account for passive authentication bypass risks

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry. The ASRG reference link provides the originating advisory. Vendor attribution is marked as low-confidence 'Unknown Vendor' with candidate evidence pointing to ASRG as the reference domain; this field is flagged for review.

Official resources