CVE-2026-49317
Deferred Deferred - Pending Action
Incorrect Boot Authentication in Indian Motorcycle Scout Bobber + Tech 2025 Infotainment

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: Automotive Security Research Group (ASRG)

Description
Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during its boot window as a proxy for whether an immobilizer is fitted; if no WCM messages are observed, it skips the PIN entry screen and shows the normal user interface. An attacker who silences the WCM during the boot window β€” for example via a separately tracked CAN bus-off technique β€” can present a fully unlocked Infotainment despite the PIN never being entered. Specific timing and protocol details have been withheld pending vendor remediation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-49317
EUVD
EUVD-2026-33296
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
indian_motorcycle scout_bobber 2025
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-696 The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways that may produce resultant weaknesses.
CWE-636 When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves the Infotainment system of the Indian Motorcycle Scout Bobber + Tech 2025 model bypassing the PIN entry screen if no Wireless Control Module (WCM) traffic is detected during its boot window. Detection would require monitoring the presence or absence of WCM messages on the network during the Infotainment boot process.

Since specific timing and protocol details have been withheld pending vendor remediation, exact detection commands cannot be provided. However, network monitoring tools that capture CAN bus traffic or wireless module communications could be used to observe WCM message presence during boot.

For example, commands or tools that capture CAN bus traffic such as 'candump' (from can-utils) or other CAN bus sniffers could be used to monitor WCM messages. Similarly, wireless traffic capture tools might be used if WCM communicates wirelessly.

Impact Analysis

This vulnerability allows an adjacent-network attacker to bypass the PIN entry screen on the motorcycle's Infotainment system, effectively gaining unauthorized access to the system.

Such unauthorized access could lead to misuse of the Infotainment features, potential theft, or manipulation of vehicle functions that rely on the Infotainment system.

Because the attacker can silence the Wireless Control Module traffic to bypass security, the normal protections intended to prevent unauthorized use are circumvented.

Executive Summary

This vulnerability involves an incorrect behavior order in the Infotainment system of the Indian Motorcycle Scout Bobber + Tech 2025 model. The system uses the presence of Wireless Control Module (WCM) traffic during its boot window to decide whether an immobilizer is fitted. If no WCM messages are detected, the system skips the PIN entry screen and directly shows the normal user interface.

An attacker can exploit this by silencing the WCM traffic during the boot window, for example using a CAN bus-off technique. This causes the Infotainment to bypass the PIN entry screen, effectively unlocking the system without the PIN ever being entered.

This is an example of CWE-696 (Incorrect Behavior Order), where the system performs related behaviors in the wrong sequence, leading to a security flaw that allows unauthorized access.

Mitigation Strategies

Immediate mitigation involves ensuring that the Wireless Control Module (WCM) traffic is not silenced during the Infotainment system's boot window, as the absence of WCM messages causes the PIN entry screen to be bypassed.

Practically, this means preventing attackers from using techniques such as CAN bus-off attacks to silence WCM messages during boot.

Additional mitigation would include applying any vendor patches or updates once available, as specific timing and protocol details are withheld pending vendor remediation.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49317. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart