CVE-2026-49322May 29, 2026

Indian Scout 2025: Infotainment-to-WCM weak authentication allows PIN recovery

Description

Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by passively observing a single PIN authentication exchange. The Infotainment Digital Round display computes its response using a non-cryptographic operation rather than a cryptographic challenge-response, so the PIN is mathematically derivable from one captured exchange, defeating the motorcycle's primary user-authentication control.

Specific protocol details have been withheld pending vendor remediation.

Recommended remediation:

Replace the non-cryptographic response computation with a digital signature (for example ECDSA P-256) or an HMAC over a fresh per-session random nonce, bound to a stable per-vehicle identifier to prevent cross-bike replay.

References

Reporter: Scott Sheahan, Rustic Security LLC

CWE-1390: https://cwe.mitre.org/data/definitions/1390.html

CWE-327: https://cwe.mitre.org/data/definitions/327.html

CWE-294: https://cwe.mitre.org/data/definitions/294.html

CAPEC-97: https://capec.mitre.org/data/definitions/97.html

CAPEC-114: https://capec.mitre.org/data/definitions/114.html

Credits

Scott Sheahan, Rustic Security LLC (finder)

Timeline

2025-03-26: Reported to Indian Motorcycle (Polaris Inc.) by Rustic Security LLC under responsible disclosure

2026-05-29: Public disclosure by ASRG

Advisory Details

CVE ID: CVE-2026-49322
Affected Products: Indian Motorcycle (Polaris Inc.) Scout Bobber + Tech, 2025 model year — Wireless Control Module (WCM), Infotainment / Digital Round
Problem Type: CWE-1390 Weak Authentication
CAPEC ID: CAPEC-97 Cryptanalysis
CVSS 3.1: 4.3; CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVSS 4.0: 4.1; CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Published: May 29, 2026

View on NVD