PatchSiren cyber security CVE debrief
CVE-2026-49324 Indian Motorcycle (Polaris Inc.) CVE debrief
A vulnerability in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with write access to the in-vehicle network to permanently immobilize the motorcycle. The WCM implements a brute-force lockout mechanism on the immobilizer authentication algorithm, but this lockout counter can be triggered by any unauthenticated message, lacks session binding, and persists across power cycles. An attacker can deliberately trigger the lockout with a small number of crafted frames, rendering the motorcycle un-startable until dealer service is performed. The vulnerability stems from improper implementation of authentication rate limiting (CWE-307) combined with uncontrolled resource consumption (CWE-400/CWE-770). The CVSS 4.0 vector indicates physical attack vector, low attack complexity, and high availability impact. The vulnerability status is currently marked as 'Deferred' in the NVD, suggesting the vendor has not yet provided a remediation. Specific exploitation thresholds have been withheld pending vendor remediation.
- Vendor
- Indian Motorcycle (Polaris Inc.)
- Product
- Scout Bobber + Tech
- CVSS
- MEDIUM 4.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Owners and operators of Indian Motorcycle Scout Bobber + Tech 2025 motorcycles; fleet managers with Indian Motorcycle vehicles; automotive security researchers; authorized Indian Motorcycle dealers; incident response teams handling vehicle cyber-physical security events
Technical summary
The WCM's immobilizer authentication lockout mechanism is vulnerable to unauthenticated trigger by any network participant with write access. The lockout state persists across power cycles and requires dealer intervention to reset, creating a permanent denial-of-service condition for vehicle operation. The flaw represents a design weakness in state machine implementation for security-critical automotive functions.
Defensive priority
HIGH
Recommended defensive actions
- Monitor for vendor security bulletin or recall notice from Indian Motorcycle/Polaris
- Restrict physical and wireless access to the motorcycle's diagnostic ports and telematics interfaces
- Implement network segmentation for any fleet management or diagnostic equipment with vehicle access
- Contact authorized dealer to verify if immobilizer lockout counter reset procedure is available
- Review and update incident response procedures for vehicle immobilization scenarios
- Await official patch or firmware update before connecting untrusted diagnostic equipment
Evidence notes
CVE published 2026-05-29T13:16:23.557Z; modified 2026-05-29T15:16:24.753Z. Source reference from ASRG (Automotive Security Research Group) indicates automotive security research origin. CVSS 4.0 vector: AV:P/AC:L/AT:P/PR:N/UI:N/VA:H. Weaknesses: CWE-307 (Improper Restriction of Excessive Authentication Attempts), CWE-400 (Uncontrolled Resource Consumption), CWE-770 (Allocation of Resources Without Limits or Throttling). VulnStatus: Deferred.
Official resources
-
CVE-2026-49324 CVE record
CVE.org
-
CVE-2026-49324 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29