CVE-2026-49316 MEDIUM

CVE-2026-49316: Indian Scout Bobber 2025 WCM CAN bus-off attack silently bypasses anti-theft shutdown

Vendor Indian Motorcycle (Polaris Inc.)
Product Scout Bobber + Tech
Weakness CWE-440
Published May 29, 2026
Last update May 29, 2026

CVSS base score

4.6/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle's anti-theft shutdown by forcing the Wireless Control Module (WCM) into the CAN bus-off state. Using a well-known CAN error-frame injection technique against a periodic WCM transmission, the attacker drives the WCM CAN controller's transmit error counter past the bus-off threshold, after which the WCM stops transmitting all messages, including the shutdown command. Peer ECUs do not interpret WCM silence as a security event and continue normal operation, allowing the motorcycle to be operated despite the immobilizer never having been unlocked. Specific protocol details have been withheld pending vendor remediation.

Key dates

02Disclosure timeline

May 29, 2026 CVE published
May 29, 2026 Record updated