CVE-2026-49323

Name of the Vulnerable Software and Affected Versions Indian Motorcycle Scout Bobber + Tech 2025 model year

Description Weak authentication exists between the Wireless Control Module (WCM) and the Engine Control Module (ECM). An adjacent-network attacker with read access to the in-vehicle network can recover the per-vehicle ECM immobilizer secret by passively observing a single seed/key exchange. This is possible because the WCM uses a reversible, non-cryptographic operation instead of a cryptographic challenge-response to derive its response, allowing the persistent immobilizer secret to be reconstructed from one captured exchange. An attacker possessing this secret can authenticate to the ECM independently of the WCM to start the engine, effectively bypassing the immobilizer.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.