Low severity2.4NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-49317

Description

Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during its boot window as a proxy for whether an immobilizer is fitted; if no WCM messages are observed, it skips the PIN entry screen and shows the normal user interface. An attacker who silences the WCM during the boot window — for example via a separately tracked CAN bus-off technique — can present a fully unlocked Infotainment despite the PIN never being entered. Specific timing and protocol details have been withheld pending vendor remediation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adjacent-network attacker can bypass Infotainment PIN on Indian Motorcycle Scout Bobber + Tech 2025 by silencing the Wireless Control Module during boot, due to incorrect behavior order.

Vulnerability

The Infotainment / Digital Round display in the Indian Motorcycle Scout Bobber + Tech 2025 model year has an incorrect behavior order [1]: it uses the presence of Wireless Control Module (WCM) traffic during its boot window as a proxy for whether an immobilizer is fitted. If no WCM messages are observed, the system skips the PIN entry screen and shows the normal user interface. Affected versions are those shipped with the 2025 model year vehicle; no specific firmware version has been disclosed.

Exploitation

An adjacent-network attacker can exploit this by silencing the WCM during the boot window. Using a CAN bus-off technique (tracked separately), the attacker disrupts WCM communication precisely when the Infotainment is booting. The attacker must be in close proximity to the vehicle to inject or interfere with CAN traffic. No authentication or user interaction is required.

Impact

Successful exploitation allows the attacker to present a fully unlocked Infotainment interface without entering the PIN. This can lead to disclosure of sensitive information stored on the system (e.g., contacts, trip history) and may allow unauthorized modification of vehicle settings. The attacker gains a level of access normally restricted to an authenticated user.

Mitigation

As of the publication date (2026-05-29), no fix has been released. The vendor has been notified and remediation is pending. Specific timing and protocol details have been withheld to facilitate a patch. No workaround is currently available. The vulnerability is not listed on CISA's KEV.

References

CWE-696: Incorrect Behavior Order (4.20)

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Indian Motorcycle/Scout Bobber + Techllm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

cwe.mitre.org/data/definitions/696.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.156
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000