CVE-2026-49318— Indian Scout Bobber 2025 Infotainment Digital Round skips PIN entry when WCM is silent at boot
Possible ATT&CK Techniques 2AI
T1565.002 · Transmitted Data Manipulation T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Indian Motorcycle (Polaris Inc.) | Scout Bobber + Tech | 2025 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-49318
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Indian Scout Bobber 2025 Infotainment Digital Round skips PIN entry when WCM is silent at boot
Source: NVD (National Vulnerability Database)
Vulnerability Description
Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during its boot window as a proxy for whether an immobilizer is fitted; if no WCM messages are observed, it skips the PIN entry screen and shows the normal user interface. An attacker who silences the WCM during the boot window — for example via a separately tracked CAN bus-off technique — can present a fully unlocked Infotainment despite the PIN never being entered. Specific timing and protocol details have been withheld pending vendor remediation.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
不正确的行为次序
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Indian Motorcycle (Polaris Inc.) | Scout Bobber + Tech | 2025 | - |
II. Public POCs for CVE-2026-49318
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-49318
请登录查看更多情报信息。
Same Patch Batch · Indian Motorcycle (Polaris Inc.) · 2026-05-29 · 7 CVEs total
| CVE-2026-49324 | 4.6 MEDIUM | Indian Scout Bobber 2025 WCM brute-force |
| CVE-2026-49316 | 4.6 MEDIUM | Indian Scout Bobber 2025 WCM CAN bus-off attack silently bypasses anti-theft shutdown |
| CVE-2026-49325 | 4.6 MEDIUM | Indian Scout Bobber 2025 WCM voltage-based shutdown |
| CVE-2026-49322 | 4.3 MEDIUM | Indian Scout Bobber 2025 Infotainment-to-WCM weak authentication allows recovery of user P |
| CVE-2026-49323 | 4.3 MEDIUM | Indian Scout Bobber 2025 WCM-to-ECM weak authentication |
| CVE-2026-49317 | 2.4 LOW | Indian Scout Bobber 2025 Infotainment Digital Round skips PIN entry when WCM is silent at |
IV. Related Vulnerabilities
Same product: Scout Bobber + Tech
- CVE-2026-49317
Indian Scout Bobber 2025 Infotainment Digital Round skips PI - CVE-2026-49316
Indian Scout Bobber 2025 WCM CAN bus-off attack silently byp - CVE-2026-49325
Indian Scout Bobber 2025 WCM voltage-based shutdown - CVE-2026-49324
Indian Scout Bobber 2025 WCM brute-force - CVE-2026-49323
Indian Scout Bobber 2025 WCM-to-ECM weak authentication
Same vendor: Indian Motorcycle (Polaris Inc.)
- CVE-2026-49317
Indian Scout Bobber 2025 Infotainment Digital Round skips PI - CVE-2026-49316
Indian Scout Bobber 2025 WCM CAN bus-off attack silently byp - CVE-2026-49325
Indian Scout Bobber 2025 WCM voltage-based shutdown - CVE-2026-49324
Indian Scout Bobber 2025 WCM brute-force - CVE-2026-49323
Indian Scout Bobber 2025 WCM-to-ECM weak authentication
V. Comments for CVE-2026-49318
No comments yet