Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-49316
PUBLISHED
More InfoOfficial Page
Assigner-ASRG
Assigner Org ID-c15abc07-96a9-4d11-a503-5d621bfe42ba
View Known Exploited Vulnerability (KEV) details
Published At-29 May, 2026 | 12:39
Updated At-29 May, 2026 | 12:39
Rejected At-
▼CVE Numbering Authority (CNA)
Indian Scout Bobber 2025 WCM CAN bus-off attack silently bypasses anti-theft shutdown

Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle's anti-theft shutdown by forcing the Wireless Control Module (WCM) into the CAN bus-off state. Using a well-known CAN error-frame injection technique against a periodic WCM transmission, the attacker drives the WCM CAN controller's transmit error counter past the bus-off threshold, after which the WCM stops transmitting all messages, including the shutdown command. Peer ECUs do not interpret WCM silence as a security event and continue normal operation, allowing the motorcycle to be operated despite the immobilizer never having been unlocked. Specific protocol details have been withheld pending vendor remediation.

Affected Products
Vendor
Indian Motorcycle (Polaris Inc.)
Product
Scout Bobber + Tech
Modules
  • Wireless Control Module (WCM)
Platforms
  • OEM Motorcycle
Default Status
unknown
Versions
Affected
  • 2025 (model-year)
Problem Types
TypeCWE IDDescription
CWECWE-440CWE-440 Expected Behavior Violation
CWECWE-754CWE-754 Improper Check for Unusual or Exceptional Conditions
CWECWE-693CWE-693 Protection Mechanism Failure
Type: CWE
CWE ID: CWE-440
Description: CWE-440 Expected Behavior Violation
Type: CWE
CWE ID: CWE-754
Description: CWE-754 Improper Check for Unusual or Exceptional Conditions
Type: CWE
CWE ID: CWE-693
Description: CWE-693 Protection Mechanism Failure
Metrics
VersionBase scoreBase severityVector
3.14.6MEDIUM
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.04.1MEDIUM
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Version: 3.1
Base score: 4.6
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version: 4.0
Base score: 4.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
N/AObstruction
N/ASoftware Integrity Attack
CAPEC ID: N/A
Description: Obstruction
CAPEC ID: N/A
Description: Software Integrity Attack
Solutions

Treat absence of the WCM heartbeat as a security event in peer ECUs — command shutdown if the WCM's periodic message is missing beyond a bounded interval. Authenticate the heartbeat with AUTOSAR SecOC or equivalent to prevent post-silence spoofing. Auto-recover the WCM from bus-off and log the event.

Configurations
Workarounds
Exploits
Credits
finder
Scott Sheahan, Rustic Security LLC
Timeline
EventDate
Reported to Indian Motorcycle by Rustic Security LLC (responsible disclosure)2025-03-26 00:00:00
Event: Reported to Indian Motorcycle by Rustic Security LLC (responsible disclosure)
Date: 2025-03-26 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://cwe.mitre.org/data/definitions/440.html
technical-description
Hyperlink: https://cwe.mitre.org/data/definitions/440.html
Resource:
technical-description
Details not found