CVE-2026-49323
Deferred Deferred - Pending Action
Weak Authentication in Indian Motorcycle Scout Bobber + Tech 2025 ECM

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: Automotive Security Research Group (ASRG)

Description
Weak authentication between the Wireless Control Module (WCM) and the Engine Control Module (ECM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the per-vehicle ECM immobilizer secret by passively observing a single seed/key exchange. The WCM derives its response using a reversible, non-cryptographic operation rather than a cryptographic challenge-response, so the persistent immobilizer secret can be reconstructed from one captured exchange. With this secret the attacker can authenticate to the ECM independently of the WCM and start the engine, defeating the immobilizer. Specific protocol details have been withheld pending vendor remediation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-49323
EUVD
EUVD-2026-33287
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
indian_motorcycle scout_bobber 2025
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
CWE-1390 The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided context and resources do not include specific information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability involves weak authentication between the Wireless Control Module (WCM) and the Engine Control Module (ECM) in the Indian Motorcycle Scout Bobber + Tech 2025 model. An attacker who has read access to the in-vehicle network and is nearby can passively observe a single seed/key exchange between these modules. Because the WCM uses a reversible, non-cryptographic method to generate its response instead of a secure cryptographic challenge-response, the attacker can reconstruct the persistent immobilizer secret from just one captured exchange.

With this recovered secret, the attacker can authenticate directly to the ECM without needing the WCM, allowing them to start the motorcycle's engine and bypass the immobilizer security feature.

Impact Analysis

This vulnerability can allow an attacker to bypass the motorcycle's immobilizer security system, enabling unauthorized engine start. This means the attacker can potentially steal the motorcycle or operate it without permission.

Since the attack requires only passive observation of a single communication exchange on the in-vehicle network, it can be performed stealthily by someone in close proximity, increasing the risk of theft or unauthorized use.

Detection Guidance

This vulnerability involves weak authentication between the Wireless Control Module (WCM) and the Engine Control Module (ECM) by passively observing a single seed/key exchange on the in-vehicle network.

Detection would require capturing and analyzing the communication between the WCM and ECM on the vehicle's in-vehicle network to identify the seed/key exchange.

Since specific protocol details have been withheld pending vendor remediation, no exact commands or tools can be recommended at this time.

Mitigation Strategies

Immediate mitigation steps are not explicitly detailed in the provided information.

Given the nature of the vulnerability, limiting physical or adjacent network access to the in-vehicle network can reduce risk.

Monitoring for vendor updates or patches addressing the weak authentication mechanism is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49323. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart