CVE-2026-49323
Weak Authentication in Indian Motorcycle Scout Bobber + Tech 2025 ECM
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: Automotive Security Research Group (ASRG)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| indian_motorcycle | scout_bobber | 2025 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1390 | The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct. |
| CWE-327 | The product uses a broken or risky cryptographic algorithm or protocol. |
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not include specific information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability involves weak authentication between the Wireless Control Module (WCM) and the Engine Control Module (ECM) in the Indian Motorcycle Scout Bobber + Tech 2025 model. An attacker who has read access to the in-vehicle network and is nearby can passively observe a single seed/key exchange between these modules. Because the WCM uses a reversible, non-cryptographic method to generate its response instead of a secure cryptographic challenge-response, the attacker can reconstruct the persistent immobilizer secret from just one captured exchange.
With this recovered secret, the attacker can authenticate directly to the ECM without needing the WCM, allowing them to start the motorcycle's engine and bypass the immobilizer security feature.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass the motorcycle's immobilizer security system, enabling unauthorized engine start. This means the attacker can potentially steal the motorcycle or operate it without permission.
Since the attack requires only passive observation of a single communication exchange on the in-vehicle network, it can be performed stealthily by someone in close proximity, increasing the risk of theft or unauthorized use.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves weak authentication between the Wireless Control Module (WCM) and the Engine Control Module (ECM) by passively observing a single seed/key exchange on the in-vehicle network.
Detection would require capturing and analyzing the communication between the WCM and ECM on the vehicle's in-vehicle network to identify the seed/key exchange.
Since specific protocol details have been withheld pending vendor remediation, no exact commands or tools can be recommended at this time.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps are not explicitly detailed in the provided information.
Given the nature of the vulnerability, limiting physical or adjacent network access to the in-vehicle network can reduce risk.
Monitoring for vendor updates or patches addressing the weak authentication mechanism is recommended.