PatchSiren cyber security CVE debrief
CVE-2026-49323 Indian Motorcycle (Polaris Inc.) CVE debrief
CVE-2026-49323 documents a medium-severity authentication weakness in the 2025 Indian Motorcycle Scout Bobber + Tech, where the Wireless Control Module (WCM) and Engine Control Module (ECM) exchange immobilizer secrets using a reversible, non-cryptographic operation. An attacker with adjacent-network access and read capability on the in-vehicle network can capture a single seed/key exchange, reconstruct the persistent ECM immobilizer secret, and subsequently authenticate directly to the ECM to start the engine without the original WCM. The CVSS 4.0 vector (AV:P/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N) reflects physical adjacency requirements and high confidentiality impact on the immobilizer secret, with no integrity or availability impact scored. The vulnerability was published to NVD on 2026-05-29 with status 'Deferred' and is attributed to ASRG (Automotive Security Research Group) as the originating source. Specific protocol details have been intentionally withheld pending vendor remediation.
- Vendor
- Indian Motorcycle (Polaris Inc.)
- Product
- Scout Bobber + Tech
- CVSS
- MEDIUM 4.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Fleet operators with 2025 Indian Motorcycle Scout Bobber + Tech units; motorcycle rental and sharing services; automotive security researchers; physical security and asset protection teams; insurance underwriters covering motorcycle theft; owners of affected models in high-theft regions
Technical summary
The vulnerability exists in the authentication protocol between the Wireless Control Module (WCM) and Engine Control Module (ECM) in the 2025 Indian Motorcycle Scout Bobber + Tech. Rather than implementing a cryptographic challenge-response mechanism, the WCM derives its authentication response through a reversible, non-cryptographic operation. This design allows an attacker with read access to the in-vehicle network to capture a single seed/key exchange, mathematically reverse the operation to recover the persistent per-vehicle immobilizer secret, and subsequently authenticate to the ECM independently. The attack requires physical proximity to establish adjacent-network access (e.g., via OBD-II port or wireless diagnostic interface) but enables complete immobilizer defeat with only passive observation. The CVSS 4.0 score of 4.1 (Medium) reflects the physical access prerequisite and high impact to credential confidentiality, with no direct integrity or availability impact on vehicle systems.
Defensive priority
medium
Recommended defensive actions
- Inventory 2025 Indian Motorcycle Scout Bobber + Tech fleet units and identify those with active immobilizer systems
- Monitor in-vehicle network segments for unauthorized diagnostic or passive monitoring devices
- Restrict physical access to vehicle OBD-II and diagnostic ports to authorized personnel only
- Coordinate with Indian Motorcycle dealer network for pending firmware or immobilizer module updates
- Implement additional physical security controls (steering locks, GPS tracking) as compensating controls until patch availability
- Review insurance and asset protection policies for theft coverage given demonstrated immobilizer bypass feasibility
Evidence notes
CVE description confirms single-observation attack feasibility against reversible WCM-ECM authentication. CVSS 4.0 scoring indicates physical access vector with high impact to credential confidentiality. NVD status 'Deferred' suggests coordinated disclosure timeline. ASRG reference provides original advisory context.
Official resources
-
CVE-2026-49323 CVE record
CVE.org
-
CVE-2026-49323 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29