Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a medical advisory for a critical vulnerability, CVE-2025-14346, affecting electric wheelchairs manufactured by WHILL Inc.. The flaw, which has a CVSS v3 score of 9.8 (Critical), allows a nearby, unauthenticated attacker to remotely take control of affected wheelchairs via Bluetooth. This could result in unauthorized movement, speed manipulation, and other dangerous actions, posing a direct threat to the physical safety of the user. The vulnerability impacts all versions of the WHILL Model C2 Electric Wheelchair and Model F Power Chair. The manufacturer has released mitigations to address the issue, and there are currently no known public exploits.

Vulnerability Details

The root cause of CVE-2025-14346 is a lack of authentication for critical functions exposed over the device's Bluetooth connection. An attacker within Bluetooth range (approximately 30 feet or 10 meters) can discover and pair with a vulnerable wheelchair without requiring any credentials or user interaction. Once paired, the attacker gains the ability to send commands that are normally restricted to the legitimate user or caregiver. These commands include:

• Initiating and controlling movement (forward, backward, turning).
• Modifying the wheelchair's configuration profiles.
• Overriding preset speed limits.

The vulnerability was discovered and reported by researchers at QED Secure Solutions.

Affected Systems

The following products are affected by this vulnerability:

• WHILL Model C2 Electric Wheelchair (all versions)
• WHILL Model F Power Chair (all versions)

These devices are used globally within the Healthcare and Public Health sectors.

Exploitation Status

As of the CISA advisory, there are no known instances of active exploitation or public proof-of-concept exploits for this vulnerability. However, the low complexity of the attack means that it could be easily weaponized.

Impact Assessment

The impact of this vulnerability is extremely severe due to the direct risk of physical harm. An attacker could cause a wheelchair to move unexpectedly into traffic, accelerate beyond a safe speed, or become unresponsive to the user's controls. In a hospital or care facility setting, this could be used to cause chaos or target specific individuals. The psychological impact on users, who rely on these devices for mobility and independence, is also significant, as it erodes trust in the safety and security of their assistive technology.

Cyber Observables for Detection

Detection Methods

• Bluetooth Scanning: Security personnel at facilities using these devices could periodically use Bluetooth scanning applications to identify any unauthorized devices attempting to pair with or masquerade as WHILL wheelchairs.
• Behavioral Monitoring: Caregivers and users should be trained to immediately report any instance of unintended or unresponsive behavior from the wheelchair, which should be treated as a potential security and safety incident.

Remediation Steps

WHILL Inc. has deployed several mitigations on December 29, 2025, to address the vulnerability. Users and administrators should ensure these updates are applied:

1. Firmware Update: Apply the updated firmware, which introduces a safeguard to prevent unauthorized modification of speed profiles.
2. Mobile Application Update: Update the companion mobile application. The new version obfuscates configuration files and includes a feature to block unlock commands while the wheelchair is in motion.
3. User Awareness: Users should be advised to be cautious of their surroundings and to power off their wheelchair when not in use for extended periods to reduce the window of opportunity for an attacker.
4. Physical Proximity: As the attack requires close physical proximity, maintaining awareness in public or crowded areas is a practical, though not technical, mitigation.

CISA recommends users follow the guidance provided by WHILL and contact the manufacturer for specific update instructions.