Executive Summary
A critical security vulnerability, identified as CVE-2025-14346, affects all versions of WHILL Model C2 Electric Wheelchairs and Model F Power Chairs. The flaw, rated with a CVSS score of 9.8 (CRITICAL), stems from a lack of authentication for Bluetooth connections. This allows any attacker within Bluetooth range to pair with and assume control of the devices without requiring credentials or user interaction. Successful exploitation enables an attacker to issue movement commands, override speed restrictions, and manipulate the wheelchair’s configuration profiles.
In response, the vendor, WHILL Inc., deployed several mitigations on December 29, 2025, including firmware safeguards against unauthorised speed profile modification, restrictions on unlock commands while in motion, and obfuscation of mobile application configuration files. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued general recommendations for network security and defensive measures. As of the advisory’s release on December 30, 2025, there are no known public reports of this vulnerability being actively exploited.
Vulnerability Analysis
Vulnerability Details (CVE-2025-14346)
The core vulnerability is categorised as CWE-306: Missing Authentication for Critical Function. The affected WHILL electric wheelchairs do not enforce any authentication mechanism for their Bluetooth connections. This design flaw creates a critical attack vector.
- Attack Vector: An unauthorised individual within Bluetooth range can directly pair with an active wheelchair.
- User Interaction: No user interaction, credentials, or prior authorisation is necessary to establish a connection.
- Impact of Exploitation: A successful attacker could achieve full control over the product, leading to severe safety risks. Specific malicious actions include:
- Issuing arbitrary movement commands to the wheelchair.
- Overriding pre-set speed restrictions.
- Manipulating saved user configuration profiles.
Affected Products
The vulnerability impacts all versions of the following products from WHILL Inc., a company headquartered in Japan. These devices are deployed worldwide within the Healthcare and Public Health sectors.
Vendor | Product | Versions | Status |
WHILL Inc. | Model C2 Electric WheelChair | All | Known Affected |
WHILL Inc. | Model F Power Chair | All | Known Affected |
Severity Assessment
The vulnerability has been assigned a critical severity rating based on the Common Vulnerability Scoring System (CVSS).
- CVSS Version: 3.1
- Base Score: 9.8 (CRITICAL)
- Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
This vector indicates an easily exploitable vulnerability over the network (Bluetooth), requiring no privileges or user interaction, with a high impact on confidentiality, integrity, and availability.
Mitigation and Response
Vendor Mitigations
WHILL Inc. deployed the following mitigations on December 29, 2025, to address the vulnerability:
- Device-Side Speed Profile Protection: A safeguard was implemented in the wheelchair firmware to prevent the mobile application from making unauthorised modifications to speed profiles.
- Unlock Command Restriction During Motion: The firmware was updated to block any “unlock” commands issued from either the mobile application or a smart key while the wheelchair is actively in motion.
- Application JSON File Obfuscation: On both Android and iOS platforms, the mobile application’s JSON configuration files were converted into a binary format to obfuscate their contents.
CISA Recommended Practices
CISA recommends that users and organisations take general defensive measures to minimise the risk of exploitation for all industrial control systems (ICS). While not specific to this device, these practices enhance overall security posture:
- Network Security:
- Minimise network exposure for all control system devices, ensuring they are not accessible from the public internet.
- Locate control system networks and remote devices behind firewalls and isolate them from business networks.
- When remote access is required, utilise secure methods like Virtual Private Networks (VPNs), ensuring they are kept up to date.
- Procedural Security:
- Organisations should perform proper impact analysis and risk assessments before deploying any defensive measures.
- Implement a defense-in-depth strategy for ICS assets.
- Utilise strategies for targeted cyber intrusion detection and mitigation.
- User Awareness:
- Protect against social engineering attacks by not clicking links or opening attachments in unsolicited emails.
- Follow established internal procedures for reporting suspected malicious activity to CISA for tracking and correlation.
Advisory Context
- Advisory Identification: ICSMA-25-364-01
- Release Date: December 30, 2025
- Discovery and Reporting: The vulnerability was reported to CISA by the Exploit Development Team at QED Secure Solutions. The following individuals were acknowledged for the discovery:
- Billy Rios
- Jesse Young
- Brandon Rothel
- Jonathan Butts
- Henri Hein
- Justin Boling
- Nick Kulesza
- Ken Natividad
- Carl Schuettthe
- Exploitation Status: As of the advisory’s publication, CISA has not received any reports of known public exploitation specifically targeting this vulnerability.