A critical security advisory warned of severe vulnerabilities in WHILL electric wheelchairs that could allow attackers to hijack the devices via Bluetooth remotely.
The alert affects two popular models used worldwide: the WHILL Model C2 Electric Wheelchair and Model F Power Chair, both manufactured by Japan-based WHILL Inc.
Security researchers from QED Secure Solutions discovered a dangerous flaw, tracked as CVE-2025-14346, with a maximum CVSS score of 9.8 out of 10, classifying it as critical severity.
The vulnerability stems from missing authentication for critical functions, enabling any attacker within Bluetooth range to seize complete control over the wheelchair without requiring authorization or physical access to the device.
| CVE ID | Affected Products | CVSS Score | Vulnerability Type | Impact |
|---|---|---|---|---|
| CVE-2025-14346 | WHILL Model C2 Electric Wheelchair, WHILL Model F Power Chair | 9.8 (Critical) | Missing Authentication for Critical Function | Remote control takeover via Bluetooth |
The vulnerability poses significant risks to users in healthcare facilities and public spaces.
As successful exploitation could allow malicious actors to manipulate wheelchair movements, potentially causing physical harm to users or bystanders.
The affected products are deployed worldwide across the Healthcare and Public Health critical infrastructure sector.
CISA urges organizations and users to implement immediate defensive measures to mitigate exploitation risks.
Key recommendations include minimizing network exposure by ensuring devices are not accessible from the internet, isolating control systems behind firewalls, and using secure Virtual Private Networks (VPNs) when remote access is necessary.
Users should contact WHILL Inc. directly for specific mitigation guidance and potential firmware updates.
Organizations must perform thorough impact analysis and risk assessments before deploying protective measures.
CISA emphasized that no known public exploitation has been reported yet, but the critical severity warrants immediate attention.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
