CVE-2026-49325

Vulnerability

The vulnerability resides in the bike-shutdown control of the Indian Motorcycle Scout Bobber + Tech 2025 model year. The Wireless Control Module (WCM) signals a shutdown to a peer ECU via a falling-edge voltage transition on a dedicated wire pair. The receiving ECU does not distinguish between an active shutdown pulse and an open-circuit or disconnected condition. This improper handling of physical conditions allows an attacker to bypass the anti-theft shutdown mechanism [1]. The affected model is specifically the 2025 model year.

Exploitation

A physical attacker with access to the WCM wiring harness can exploit this vulnerability. By interrupting the relevant wires (e.g., cutting or disconnecting them), the attacker can prevent the shutdown signal from being transmitted. Since the receiving ECU cannot differentiate between a valid shutdown pulse and an open circuit, the motorcycle remains fully operable even though the WCM never validated the rider's PIN. No authentication or special tools are required beyond physical access to the harness.

Impact

Successful exploitation allows an attacker to operate the motorcycle without authorization, effectively bypassing the PIN-based anti-theft system. The attacker gains the ability to start and ride the vehicle, leading to a complete loss of vehicle access control. The compromise affects the confidentiality (no theft protection) and integrity (operational status) of the system.

Mitigation

As of the publication date (2026-05-29), the vendor has not released a fix. Specific connector details have been withheld pending vendor remediation. Owners should be aware of the vulnerability and consider physical security measures to limit access to the WCM wiring harness until an official update is provided.