CVE-2026-49316
Deferred Deferred - Pending Action
CAN Bus-Off State Vulnerability in Indian Motorcycle Scout Bobber + Tech 2025

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: Automotive Security Research Group (ASRG)

Description
Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle's anti-theft shutdown by forcing the Wireless Control Module (WCM) into the CAN bus-off state. Using a well-known CAN error-frame injection technique against a periodic WCM transmission, the attacker drives the WCM CAN controller's transmit error counter past the bus-off threshold, after which the WCM stops transmitting all messages, including the shutdown command. Peer ECUs do not interpret WCM silence as a security event and continue normal operation, allowing the motorcycle to be operated despite the immobilizer never having been unlocked. Specific protocol details have been withheld pending vendor remediation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-49316
EUVD
EUVD-2026-33293
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
indian_motorcycle scout_bobber 2025
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
CWE-440 A feature, API, or function does not perform according to its specification.
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year. An attacker on an adjacent network can exploit this by forcing the Wireless Control Module (WCM) into a CAN bus-off state using a known CAN error-frame injection technique. When the WCM enters this state, it stops transmitting all messages, including the anti-theft shutdown command. Other electronic control units (ECUs) do not recognize the WCM's silence as a security issue and continue normal operation, allowing the motorcycle to be operated even though the immobilizer has not been unlocked.

Impact Analysis

The impact of this vulnerability is that an attacker can bypass the motorcycle's anti-theft system, allowing unauthorized operation of the vehicle. Since the Wireless Control Module stops sending shutdown commands and other ECUs do not detect this as a security event, the motorcycle can be started and used despite the immobilizer remaining locked. This effectively disables the anti-theft protection, increasing the risk of theft.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49316. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart