Home

Description

Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle's anti-theft shutdown by forcing the Wireless Control Module (WCM) into the CAN bus-off state. Using a well-known CAN error-frame injection technique against a periodic WCM transmission, the attacker drives the WCM CAN controller's transmit error counter past the bus-off threshold, after which the WCM stops transmitting all messages, including the shutdown command. Peer ECUs do not interpret WCM silence as a security event and continue normal operation, allowing the motorcycle to be operated despite the immobilizer never having been unlocked. Specific protocol details have been withheld pending vendor remediation.

PUBLISHED Reserved 2026-05-29 | Published 2026-05-29 | Updated 2026-05-29 | Assigner ASRG




MEDIUM: 4.6CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

MEDIUM: 4.1CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-440 Expected Behavior Violation

CWE-754 Improper Check for Unusual or Exceptional Conditions

CWE-693 Protection Mechanism Failure

Product status

Default status
unknown

2025 (model-year)
affected

Timeline

2025-03-26:Reported to Indian Motorcycle by Rustic Security LLC (responsible disclosure)

Credits

Scott Sheahan, Rustic Security LLC finder

References

cwe.mitre.org/data/definitions/440.html technical-description

cve.org (CVE-2026-49316)

nvd.nist.gov (CVE-2026-49316)

Download JSON