CVE-2026-49324
MediumCVSS 4.6Exploitation Probability (EPSS)
Low risk7th percentile - higher than 7% of all known CVEs
Summary
A vulnerability in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 allows an adjacent-network attacker with write access to the in-vehicle network to permanently immobilize the motorcycle. The brute-force lockout mechanism on the immobilizer authentication algorithm is exploitable because the lockout counter is reachable by any unauthenticated message, has no session binding, and does not reset on power cycle. An attacker can deliberately trigger the lockout with a small number of crafted frames, leaving the bike un-startable until dealer service.
Risk Assessment
The risk is the potential for permanent immobilization of the motorcycle by an adjacent-network attacker, leading to loss of mobility, service costs, and potential safety hazards in emergency situations.
Recommendation
It is recommended to immediately apply vendor patches once available and restrict access to the in-vehicle network to trusted devices only. Until an update is released, monitor the vehicle network for suspicious frames and consider temporarily disabling the WCM wireless functions.
Original NVD description (English source)
Uncontrolled resource consumption in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with write access to the in-vehicle network to permanently immobilize the motorcycle. The WCM enforces a brute-force lockout on the immobilizer authentication algorithm, but the lockout counter is reachable by any unauthenticated message, has no session binding, and does not reset on power cycle. An attacker can deliberately trip the lockout with a small number of crafted frames, leaving the bike un-startable until dealer service. Specific thresholds have been withheld pending vendor remediation.

