CVE-2026-49324
Uncontrolled Resource Consumption in Indian Motorcycle Scout Bobber + Tech 2025 WCM
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: Automotive Security Research Group (ASRG)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| indian_motorcycle | scout_bobber | 2025 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves uncontrolled resource consumption in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year. An attacker on an adjacent network with write access to the in-vehicle network can exploit this by sending crafted messages that trigger a brute-force lockout on the immobilizer authentication algorithm. The lockout counter can be incremented by any unauthenticated message, is not bound to any session, and does not reset when the motorcycle is powered off. As a result, the attacker can cause the motorcycle to become permanently immobilized until it is serviced by a dealer.
How can this vulnerability impact me? :
The primary impact of this vulnerability is that an attacker can permanently immobilize the motorcycle, effectively causing a denial of service. The motorcycle will not start until it is serviced by a dealer, which can cause inconvenience, loss of use, and potential safety concerns for the owner.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an attacker sending crafted unauthenticated messages to the Wireless Control Module (WCM) on the in-vehicle network to trigger a brute-force lockout on the immobilizer authentication algorithm. Detection would involve monitoring the in-vehicle network traffic for unusual or repeated unauthenticated messages targeting the immobilizer authentication mechanism.
Since the lockout counter can be incremented by any unauthenticated message and does not reset on power cycle, commands or tools that capture and analyze CAN bus or in-vehicle network frames could be used to detect suspicious message patterns or repeated authentication attempts.
Specific commands are not provided in the available information, but network traffic capture tools (e.g., Wireshark with CAN bus support) and custom scripts to filter for repeated unauthenticated frames targeting the immobilizer could be employed.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting write access to the in-vehicle network to trusted entities only, as the vulnerability requires write access to the network.
Implementing strong authentication and access control mechanisms to prevent unauthenticated messages from reaching the Wireless Control Module can help mitigate exploitation.
Since the lockout counter does not reset on power cycle and requires dealer service to restore functionality, avoiding exposure of the in-vehicle network to adjacent-network attackers is critical.
Monitoring for and blocking suspicious or repeated unauthenticated messages targeting the immobilizer authentication algorithm can reduce the risk of deliberate lockout.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.