Home

Description

Weak authentication between the Wireless Control Module (WCM) and the Engine Control Module (ECM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the per-vehicle ECM immobilizer secret by passively observing a single seed/key exchange. The WCM derives its response using a reversible, non-cryptographic operation rather than a cryptographic challenge-response, so the persistent immobilizer secret can be reconstructed from one captured exchange. With this secret the attacker can authenticate to the ECM independently of the WCM and start the engine, defeating the immobilizer. Specific protocol details have been withheld pending vendor remediation.

PUBLISHED Reserved 2026-05-29 | Published 2026-05-29 | Updated 2026-05-29 | Assigner ASRG




MEDIUM: 4.3CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

MEDIUM: 4.1CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-1390 Weak Authentication

CWE-327 Use of a Broken or Risky Cryptographic Algorithm

CWE-798 Use of Hard-coded Credentials

Product status

Default status
unknown

2025 (model-year)
affected

Timeline

2025-03-26:Reported to Indian Motorcycle by Rustic Security LLC (responsible disclosure)

Credits

Scott Sheahan, Rustic Security LLC finder

References

www.asrg.io/...9323-indian-scout-wcm-ecm-weak-authentication third-party-advisory

cve.org (CVE-2026-49323)

nvd.nist.gov (CVE-2026-49323)

Download JSON