CVE-2026-49323

Vulnerability

CVE-2026-49323 describes a weak authentication mechanism between the Wireless Control Module (WCM) and the Engine Control Module (ECM) in the Indian Motorcycle Scout Bobber + Tech 2025 model year. The WCM derives its authentication response using a reversible, non-cryptographic operation rather than a cryptographic challenge-response. This allows an attacker with read access to the in-vehicle network to passively observe a single seed/key exchange and reconstruct the per-vehicle ECM immobilizer secret [1], [2]. The affected versions are limited to the 2025 model year of the Scout Bobber + Tech.

Exploitation

An attacker must be in adjacent network proximity and have read access to the in-vehicle network (e.g., CAN bus). By passively capturing one legitimate seed/key exchange between the WCM and ECM, the attacker can, due to the reversible operation, compute the persistent immobilizer secret without requiring any active interaction or authentication. No special hardware beyond a standard CAN bus interface is needed [2].

Impact

With the recovered immobilizer secret, an attacker can authenticate to the ECM independently of the WCM and then start the engine, thereby defeating the vehicle immobilizer. This results in unauthorized physical access and ability to operate the motorcycle, with high impact on vehicle security and theft prevention [2].

Mitigation

As of the advisory publication date (2026-05-29), no patch has been released by the vendor. The recommended remediation is to replace the non-cryptographic authentication response with HMAC-SHA-256 or ECDSA over a fresh nonce, ECU identifier, and session counter, and to provision per-vehicle symmetric keys in tamper-resistant secure elements on both authenticating modules [2]. Specific protocol details have been withheld pending vendor remediation [2].