PatchSiren cyber security CVE debrief
CVE-2026-49325 Indian Motorcycle (Polaris Inc.) CVE debrief
## Summary CVE-2026-49325 describes a **physical security bypass** in the Indian Motorcycle Scout Bobber + Tech 2025 model year. An attacker with physical access to the Wireless Control Module (WCM) wiring harness can disable the anti-theft shutdown mechanism by interrupting a dedicated wire pair, causing the receiving ECU to interpret an open-circuit condition as a valid shutdown signal. This allows the motorcycle to remain fully operable without PIN validation. ## Technical Analysis The vulnerability stems from **improper signal validation** in the inter-ECU communication protocol: - **Attack Vector**: Physical access to WCM wiring harness - **Mechanism**: The WCM signals shutdown via a falling-edge voltage transition on a dedicated wire pair - **Root Cause**: The receiving ECU cannot distinguish between an intentional shutdown pulse and an open-circuit/disconnected condition - **Impact**: Anti-theft shutdown bypass; motorcycle remains operable without rider authentication The CVSS 4.0 vector (`AV:P/AC:L/AT:P/PR:N/UI:N/VA:H`) reflects: - **Attack Vector: Physical** — requires physical access to the motorcycle - **Attack Complexity: Low** — simple wire interruption - **Attack Requirements: Present** — specific hardware access needed - **Availability Impact: High** — anti-theft function neutralized ## Affected Product | Attribute | Value | |-----------|-------| | Vendor | Indian Motorcycle (Polaris Inc.) | | Product | Scout Bobber + Tech | | Model Year | 2025 | | Component | Wireless Control Module (WCM) / Engine Control Unit interconnection | ## Weaknesses Per the CVE record, this vulnerability involves: - **CWE-693**: Protection Mechanism Failure — failure to properly validate the shutdown signal source - **CWE-754**: Improper Check for Unusual or Exceptional Conditions — no detection of open-circuit anomaly - **CWE-1384**: Improper Handling of Physical or Environmental Conditions — inability to distinguish legitimate signal from physical disconnection ## Timeline | Event | Date | |-------|------| | CVE Published | 2026-05-29 | | CVE Last Modified | 2026-05-29 | | Vendor Status | Deferred (per NVD) | The CVE was published and modified on the **s
- Vendor
- Indian Motorcycle (Polaris Inc.)
- Product
- Scout Bobber + Tech
- CVSS
- MEDIUM 4.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Owners of 2025 Indian Motorcycle Scout Bobber + Tech motorcycles; fleet operators and rental services using these models; motorcycle security researchers; automotive/ powersports cybersecurity professionals; physical security auditors for high-value vehicle assets
Technical summary
The vulnerability exists in the inter-ECU signaling between the Wireless Control Module (WCM) and the shutdown-receiving ECU. The WCM transmits shutdown commands via a falling-edge voltage transition on a dedicated wire pair. The receiving ECU's logic interprets both active low signals and open-circuit conditions (infinite impedance, no voltage) equivalently. An attacker with physical access can create an open-circuit condition by disconnecting or cutting the relevant wires, causing the ECU to perceive a continuous 'shutdown acknowledged' state that actually leaves the motorcycle operational. This represents a failure of signal integrity verification and absence of heartbeat or continuity checks on the control line.
Defensive priority
MEDIUM
Recommended defensive actions
- Owners of 2025 Indian Motorcycle Scout Bobber + Tech should contact authorized Indian Motorcycle dealerships to inquire about security updates for the Wireless Control Module firmware
- Physical security measures should be enhanced: use additional mechanical locks (disc locks, chain locks) and park in secured locations to mitigate the risk of physical tampering
- Monitor for service bulletins from Indian Motorcycle/Polaris regarding ECU firmware updates that may add open-circuit detection to the shutdown signal validation logic
- Fleet operators and rental services using affected models should implement enhanced key control and vehicle tracking as compensating controls
- Security researchers and owners should report any observed suspicious wiring harness tampering to Indian Motorcycle customer service and appropriate law enforcement
Evidence notes
The CVE description explicitly states that 'specific connector details have been withheld pending vendor remediation.' This is a responsible disclosure practice to prevent immediate exploitation while allowing time for security patches. The CVSS 4.0 scoring with AV:P (Physical) and VA:H (High Availability impact) accurately characterizes this as a localized but serious physical security flaw.
Official resources
-
CVE-2026-49325 CVE record
CVE.org
-
CVE-2026-49325 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
The vulnerability was disclosed through MITRE/ASRG with NVD entry status 'Deferred', indicating coordination with the vendor is ongoing. Specific connector details have been intentionally withheld pending vendor remediation.