Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-49322
PUBLISHED
More InfoOfficial Page
Assigner-ASRG
Assigner Org ID-c15abc07-96a9-4d11-a503-5d621bfe42ba
View Known Exploited Vulnerability (KEV) details
Published At-29 May, 2026 | 07:29
Updated At-29 May, 2026 | 13:45
Rejected At-
▼CVE Numbering Authority (CNA)
Indian Scout Bobber 2025 Infotainment-to-WCM weak authentication allows recovery of user PIN from observed exchange

Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by passively observing a single PIN authentication exchange. The Infotainment Digital Round display computes its response using a non-cryptographic operation rather than a cryptographic challenge-response, so the PIN is mathematically derivable from one captured exchange, defeating the motorcycle's primary user-authentication control. Specific protocol details have been withheld pending vendor remediation.

Affected Products
Vendor
Indian Motorcycle (Polaris Inc.)
Product
Scout Bobber + Tech
Modules
  • Wireless Control Module (WCM)
  • Infotainment / Digital Round
Platforms
  • OEM Motorcycle
Default Status
unknown
Versions
Affected
  • 2025 (model-year)
Problem Types
TypeCWE IDDescription
CWECWE-1390CWE-1390 Weak Authentication
CWECWE-327CWE-327 Use of a Broken or Risky Cryptographic Algorithm
CWECWE-294CWE-294 Authentication Bypass by Capture-Replay
Type: CWE
CWE ID: CWE-1390
Description: CWE-1390 Weak Authentication
Type: CWE
CWE ID: CWE-327
Description: CWE-327 Use of a Broken or Risky Cryptographic Algorithm
Type: CWE
CWE ID: CWE-294
Description: CWE-294 Authentication Bypass by Capture-Replay
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.04.1MEDIUM
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Version: 4.0
Base score: 4.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
N/ACryptanalysis
N/AAuthentication Abuse
CAPEC ID: N/A
Description: Cryptanalysis
CAPEC ID: N/A
Description: Authentication Abuse
Solutions

Replace the non-cryptographic response computation with a digital signature (for example ECDSA P-256) or an HMAC over a fresh per-session random nonce, bound to a stable per-vehicle identifier to prevent cross-bike replay.

Configurations
Workarounds
Exploits
Credits
finder
Scott Sheahan, Rustic Security LLC
Timeline
EventDate
Reported to Indian Motorcycle by Rustic Security LLC (responsible disclosure)2025-03-26 00:00:00
Event: Reported to Indian Motorcycle by Rustic Security LLC (responsible disclosure)
Date: 2025-03-26 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.asrg.io/security-advisories/cve-2026-49322-indian-scout-infotainment-wcm-weak-authentication
third-party-advisory
Hyperlink: https://www.asrg.io/security-advisories/cve-2026-49322-indian-scout-infotainment-wcm-weak-authentication
Resource:
third-party-advisory
Details not found