This vulnerability involves weak authentication between the WCM and ECM in the 2025 Indian Motorcycle Scout Bobber + Tech. The WCM's response to the ECM's challenge is generated using a reversible, non-cryptographic method, enabling an adjacent-network attacker who can observe the in-vehicle network to recover the persistent immobilizer secret from a single captured seed/key exchange. With this secret, the attacker can authenticate directly to the ECM and start the engine, effectively defeating the immobilizer security feature. Specific protocol details remain undisclosed pending vendor remediation. The CVSS 3.1 base score is 4.3, reflecting a medium severity with attack vector requiring physical proximity (adjacent network), low attack complexity, no privileges required, and user interaction needed.

The impact is that an attacker with read access to the in-vehicle network can bypass the engine immobilizer by recovering the secret used for authentication, allowing unauthorized engine start. This compromises the vehicle's theft protection mechanism. There is no indication of impact on confidentiality, integrity, or availability beyond the ability to start the engine without authorization.

No official patch or remediation has been announced by the vendor as of the published date. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, limiting physical and network access to the vehicle's in-vehicle network is recommended to reduce exposure. Monitor for vendor updates regarding an official fix or mitigation.