CVE-2026-49317
Incorrect Boot Authentication in Indian Motorcycle Scout Bobber + Tech 2025 Infotainment
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: Automotive Security Research Group (ASRG)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| indian_motorcycle | scout_bobber | 2025 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-696 | The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways that may produce resultant weaknesses. |
| CWE-636 | When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. |
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Infotainment system of the Indian Motorcycle Scout Bobber + Tech 2025 model bypassing the PIN entry screen if no Wireless Control Module (WCM) traffic is detected during its boot window. Detection would require monitoring the presence or absence of WCM messages on the network during the Infotainment boot process.
Since specific timing and protocol details have been withheld pending vendor remediation, exact detection commands cannot be provided. However, network monitoring tools that capture CAN bus traffic or wireless module communications could be used to observe WCM message presence during boot.
For example, commands or tools that capture CAN bus traffic such as 'candump' (from can-utils) or other CAN bus sniffers could be used to monitor WCM messages. Similarly, wireless traffic capture tools might be used if WCM communicates wirelessly.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves ensuring that the Wireless Control Module (WCM) traffic is not silenced during the Infotainment system's boot window, as the absence of WCM messages causes the PIN entry screen to be bypassed.
Practically, this means preventing attackers from using techniques such as CAN bus-off attacks to silence WCM messages during boot.
Additional mitigation would include applying any vendor patches or updates once available, as specific timing and protocol details are withheld pending vendor remediation.
How can this vulnerability impact me? :
This vulnerability allows an adjacent-network attacker to bypass the PIN entry screen on the motorcycle's Infotainment system, effectively gaining unauthorized access to the system.
Such unauthorized access could lead to misuse of the Infotainment features, potential theft, or manipulation of vehicle functions that rely on the Infotainment system.
Because the attacker can silence the Wireless Control Module traffic to bypass security, the normal protections intended to prevent unauthorized use are circumvented.
Can you explain this vulnerability to me?
This vulnerability involves an incorrect behavior order in the Infotainment system of the Indian Motorcycle Scout Bobber + Tech 2025 model. The system uses the presence of Wireless Control Module (WCM) traffic during its boot window to decide whether an immobilizer is fitted. If no WCM messages are detected, the system skips the PIN entry screen and directly shows the normal user interface.
An attacker can exploit this by silencing the WCM traffic during the boot window, for example using a CAN bus-off technique. This causes the Infotainment to bypass the PIN entry screen, effectively unlocking the system without the PIN ever being entered.
This is an example of CWE-696 (Incorrect Behavior Order), where the system performs related behaviors in the wrong sequence, leading to a security flaw that allows unauthorized access.