CVE-2026-49325
Deferred Deferred - Pending Action

Physical Bypass in Indian Motorcycle Scout Bobber

Vulnerability report for CVE-2026-49325, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-29

Last updated on: 2026-06-27

Assigner: Automotive Security Research Group (ASRG)

Description

Improper handling of physical conditions in the bike-shutdown control of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows a physical attacker with access to the Wireless Control Module (WCM) wiring harness to bypass the anti-theft shutdown. The WCM signals shutdown to a peer ECU via a falling-edge voltage transition on a dedicated wire pair. The receiving ECU does not distinguish between an active shutdown pulse and an open-circuit / disconnected condition; interrupting the relevant wires leaves the motorcycle fully operable even though the WCM never validated the rider's PIN. Specific connector details have been withheld pending vendor remediation.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-29
Last Modified
2026-06-27
Generated
2026-07-09
AI Q&A
2026-05-29
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
indian_motorcycle scout_bobber 2025

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
CWE-1384 The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced.
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves improper handling of physical conditions in the bike-shutdown control system of the Indian Motorcycle Scout Bobber + Tech 2025 model year. A physical attacker with access to the Wireless Control Module (WCM) wiring harness can bypass the anti-theft shutdown mechanism. The WCM signals shutdown to a peer ECU using a falling-edge voltage transition on a dedicated wire pair. However, the receiving ECU cannot distinguish between a legitimate shutdown signal and a disconnected or open-circuit condition. By interrupting the relevant wires, the attacker can keep the motorcycle fully operable without the WCM validating the rider's PIN.

Impact Analysis

This vulnerability allows an attacker with physical access to the motorcycle's wiring harness to bypass the anti-theft shutdown control, effectively enabling unauthorized use or theft of the motorcycle. Since the shutdown signal can be spoofed by disconnecting wires, the motorcycle remains operable without proper authentication, compromising the security and availability of the vehicle.

Detection Guidance

This vulnerability involves physical manipulation of the Wireless Control Module (WCM) wiring harness to bypass the anti-theft shutdown on the Indian Motorcycle Scout Bobber + Tech 2025 model. Detection requires physical inspection of the WCM wiring harness for signs of tampering or disconnection.

Since the vulnerability is related to physical wiring and hardware signals rather than network traffic or software logs, there are no specific network or system commands that can directly detect this issue.

Monitoring the motorcycle's behavior for unexpected operability despite the anti-theft system being engaged may indicate exploitation of this vulnerability.

Mitigation Strategies

Immediate mitigation involves securing physical access to the Wireless Control Module (WCM) wiring harness to prevent unauthorized manipulation.

Inspect and protect the wiring harness to ensure it is not disconnected or tampered with, as interrupting the wires allows bypassing the anti-theft shutdown.

Await vendor remediation for specific connector details and potential hardware or firmware updates that address the improper handling of physical conditions.

Consider additional physical security measures such as tamper-evident seals or enclosures around the WCM wiring harness.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49325. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart