Uncontrolled Resource Consumption in Indian Motorcycle Scout Bobber + Tech 2025
CVE-2026-49324

4.1MEDIUM

Key Information:

Vendor: Indian Motorcycle (polaris Inc.)
Status: Scout Bobber + Tech
Vendor: CVE Published:; 29 May 2026

🔔 Create Indian Motorcycle (polaris Inc.) Vulnerability Alert

What is CVE-2026-49324?

The Wireless Control Module (WCM) in the Indian Motorcycle Scout Bobber + Tech 2025 model year is susceptible to an uncontrolled resource consumption vulnerability. This flaw allows an adjacent network attacker with write access to the in-vehicle network to immobilize the motorcycle by exploiting the brute-force lockout mechanism of the immobilizer authentication algorithm. The lockout counter can be manipulated via unauthenticated messages, which lack session binding and do not reset upon power cycling. As a result, an attacker can quickly trigger the lockout condition using crafted messages, rendering the motorcycle inoperable until serviced by a dealer.

Affected Version(s)

Scout Bobber + Tech OEM Motorcycle 2025

References

https://www.asrg.io/security-advisories/cve-2026-49324-in...

third-party-advisory

CVSS V4

Score:

4.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Physical

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 29, 2026

Credit

Scott Sheahan, Rustic Security LLC

CVE-2026-49324 Data

JSON