Weak Authentication Issue in Indian Motorcycle Scout Bobber + Tech Wireless Control Module
CVE-2026-49323

4.1MEDIUM

Key Information:

Vendor: Indian Motorcycle (polaris Inc.)
Status: Scout Bobber + Tech
Vendor: CVE Published:; 29 May 2026

🔔 Create Indian Motorcycle (polaris Inc.) Vulnerability Alert

What is CVE-2026-49323?

A significant vulnerability exists in the Wireless Control Module (WCM) of the 2025 Indian Motorcycle Scout Bobber + Tech model, which suffers from weak authentication mechanisms. This flaw allows an adjacent-network attacker, who has the ability to read the in-vehicle network traffic, to capture a single seed/key exchange between the WCM and the Engine Control Module (ECM). By exploiting this vulnerability, an attacker can reconstruct the ECM's immobilizer secret using a reversible, non-cryptographic operation. This enables unauthorized authentication to the ECM, allowing the attacker to start the motorcycle engine and bypass the immobilizer system. Details of the specific protocol have been withheld by the vendor to address the potential risks.

Affected Version(s)

Scout Bobber + Tech OEM Motorcycle 2025

References

https://www.asrg.io/security-advisories/cve-2026-49323-in...

third-party-advisory

CVSS V4

Score:

4.1

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Physical

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 29, 2026

Credit

Scott Sheahan, Rustic Security LLC

CVE-2026-49323 Data

JSON