## Summary CVE-2026-49325 describes a **physical security bypass** in the Indian Motorcycle Scout Bobber + Tech 2025 model year. An attacker with physical access to the Wireless Control Module (WCM) wiring harness can disable the anti-theft shutdown mechanism by interrupting a dedicated wire pair, causing the receiving ECU to interpret an open-circuit condition as a valid shutdown signal. This allows the [truncated]
LOWIndian Motorcycle (Polaris Inc.)CVE published 2026-05-29
A logic flaw in the Indian Motorcycle Scout Bobber + Tech 2025 infotainment system allows an adjacent-network attacker to bypass the PIN entry screen by suppressing Wireless Control Module (WCM) traffic during the boot window. The system uses WCM message presence as a proxy for immobilizer presence; absence of these messages causes the infotainment to skip PIN verification and present an unlocked interfac [truncated]
LOWIndian Motorcycle (Polaris Inc.)CVE published 2026-05-29
A logic flaw in the Indian Motorcycle Scout Bobber + Tech 2025 infotainment system allows an adjacent-network attacker to bypass PIN authentication by suppressing Wireless Control Module (WCM) traffic during the boot window. The system incorrectly uses WCM message presence as a proxy for immobilizer status; absence of WCM traffic causes the PIN entry screen to be skipped entirely, presenting an unlocked i [truncated]
MEDIUMIndian Motorcycle (Polaris Inc.)CVE published 2026-05-29
A medium-severity vulnerability in the 2025 Indian Motorcycle Scout Bobber + Tech allows adjacent-network attackers to bypass the anti-theft immobilizer by forcing the Wireless Control Module (WCM) into a CAN bus-off state. The attack exploits standard CAN error-frame injection against periodic WCM transmissions, driving the controller's transmit error counter past the bus-off threshold (typically 255 per [truncated]
MEDIUMIndian Motorcycle (Polaris Inc.)CVE published 2026-05-29
A vulnerability in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with write access to the in-vehicle network to permanently immobilize the motorcycle. The WCM implements a brute-force lockout mechanism on the immobilizer authentication algorithm, but this lockout counter can be triggered by any unauthenticated message, la [truncated]
MEDIUMIndian Motorcycle (Polaris Inc.)CVE published 2026-05-29
CVE-2026-49323 documents a medium-severity authentication weakness in the 2025 Indian Motorcycle Scout Bobber + Tech, where the Wireless Control Module (WCM) and Engine Control Module (ECM) exchange immobilizer secrets using a reversible, non-cryptographic operation. An attacker with adjacent-network access and read capability on the in-vehicle network can capture a single seed/key exchange, reconstruct t [truncated]
