CVE-2026-49324
Deferred Deferred - Pending Action
Uncontrolled Resource Consumption in Indian Motorcycle Scout Bobber + Tech 2025 WCM

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: Automotive Security Research Group (ASRG)

Description
Uncontrolled resource consumption in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with write access to the in-vehicle network to permanently immobilize the motorcycle. The WCM enforces a brute-force lockout on the immobilizer authentication algorithm, but the lockout counter is reachable by any unauthenticated message, has no session binding, and does not reset on power cycle. An attacker can deliberately trip the lockout with a small number of crafted frames, leaving the bike un-startable until dealer service. Specific thresholds have been withheld pending vendor remediation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-49324
EUVD
EUVD-2026-33289
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
indian_motorcycle scout_bobber 2025
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves uncontrolled resource consumption in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year. An attacker on an adjacent network with write access to the in-vehicle network can exploit this by sending crafted messages that trigger a brute-force lockout on the immobilizer authentication algorithm. The lockout counter can be incremented by any unauthenticated message, is not bound to any session, and does not reset when the motorcycle is powered off. As a result, the attacker can cause the motorcycle to become permanently immobilized until it is serviced by a dealer.

Impact Analysis

The primary impact of this vulnerability is that an attacker can permanently immobilize the motorcycle, effectively causing a denial of service. The motorcycle will not start until it is serviced by a dealer, which can cause inconvenience, loss of use, and potential safety concerns for the owner.

Detection Guidance

This vulnerability involves an attacker sending crafted unauthenticated messages to the Wireless Control Module (WCM) on the in-vehicle network to trigger a brute-force lockout on the immobilizer authentication algorithm. Detection would involve monitoring the in-vehicle network traffic for unusual or repeated unauthenticated messages targeting the immobilizer authentication mechanism.

Since the lockout counter can be incremented by any unauthenticated message and does not reset on power cycle, commands or tools that capture and analyze CAN bus or in-vehicle network frames could be used to detect suspicious message patterns or repeated authentication attempts.

Specific commands are not provided in the available information, but network traffic capture tools (e.g., Wireshark with CAN bus support) and custom scripts to filter for repeated unauthenticated frames targeting the immobilizer could be employed.

Mitigation Strategies

Immediate mitigation steps include restricting write access to the in-vehicle network to trusted entities only, as the vulnerability requires write access to the network.

Implementing strong authentication and access control mechanisms to prevent unauthenticated messages from reaching the Wireless Control Module can help mitigate exploitation.

Since the lockout counter does not reset on power cycle and requires dealer service to restore functionality, avoiding exposure of the in-vehicle network to adjacent-network attackers is critical.

Monitoring for and blocking suspicious or repeated unauthenticated messages targeting the immobilizer authentication algorithm can reduce the risk of deliberate lockout.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49324. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart