Affected Products
- WHILL Model C2 Electric Wheelchairs
- WHILL Model F Power Chairs
(All versions lacking patched firmware)
Severity
- CVSS v3.1 Score: 9.8 (Critical)
- Classified under CWE-306 (Missing Authentication for Critical Function)
Vulnerability Description
- The Bluetooth interface does not enforce authentication for pairing and control commands.
- An attacker within standard Bluetooth range (~30 ft / ~10 m) can connect without any PIN or user consent.
- Once connected, the attacker can:
- Issue movement commands (move, stop, turn)
- Override speed limits
- Control configuration or profile settings
- No internet access or prior credentials are needed.
Impact
- Unauthorized remote control of physical mobility devices poses direct safety and injury risk to users, especially in public or healthcare settings.
- Physical harm potential makes this both a cybersecurity and patient safety issue.
Mitigations & Fixes
Vendor / Firmware Updates
WHILL issued mitigations (rolled out around Dec 29, 2025) that include:
- Preventing unauthorized changes to speed profiles
- Blocking unlock commands while the chair is moving
- Obfuscating mobile app configuration files to hinder tampering
Action: Ensure wheelchairs and companion mobile apps are updated to the latest vendor-provided versions immediately.
Temporary Risk Reduction
- Disable Bluetooth when not actively used for pairing or configuration.
- Limit Bluetooth exposure in public or facility environments.
- Monitor for unexpected pairing events or unauthorized access attempts.
- Contact WHILL support for confirmation of fixed firmware versions and installation instructions.
Summary:
| Field | Details |
|---|---|
| CVE ID | CVE-2025-14346 |
| Products | WHILL Model C2 & Model F Chairs |
| Vulnerability Type | Unauthenticated Bluetooth control |
| Severity | Critical (CVSS 9.8) |
| Impact | Remote physical device control |
| Mitigation | Update firmware & disable Bluetooth when idle |
