The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a severe security flaw in WHILL Model C2 electric wheelchairs and Model F power chairs that could allow attackers to hijack the devices via Bluetooth.
The vulnerability, tracked as CVE-2025-14346, carries a CVSS v3 score of 9.8, indicating critical severity.
Security researchers from QED Secure Solutions discovered that the WHILL mobility devices lack proper authentication mechanisms for critical functions.
An attacker within Bluetooth range can exploit this weakness to seize control of the wheelchair without any user interaction or authorisation.
| CVE ID | CVSS v3 | Affected Products | Vulnerability Type |
|---|---|---|---|
| CVE-2025-14346 | 9.8 | WHILL Model C2 Electric Wheelchair, WHILL Model F Power Chair | Missing Authentication for Critical Function |
The affected products are widely deployed in healthcare facilities and by individual users worldwide, potentially putting vulnerable individuals at immediate risk.
The vulnerability stems from the lack of authentication for critical functions in the wheelchair’s control system.
Unlike typical medical device vulnerabilities that require network access or physical tampering, this flaw can be exploited wirelessly from approximately 30 feet away, the standard Bluetooth connection range.
This creates a unique threat vector that malicious actors could exploit to disrupt mobility, cause sudden stops, or redirect the chair’s movement.
Vulnerability Details
WHILL Inc., a Japan-based mobility device manufacturer, produces these wheelchairs for the healthcare and public health sector.
The Model C2 and Model F chairs are designed for both indoor and outdoor use, featuring advanced maneuverability and innovative controls that are now revealed to have significant security gaps.
The research team from QED Secure Solutions including Billy Rios, Jesse Young, Brandon Rothel, Jonathan Butts, Henri Hein, Justin Boling, Nick Kulesza, Ken Natividad, and Carl Schuettthe responsibly disclosed the vulnerability to CISA.
Their findings highlight the growing security challenges in Internet of Medical Things (IoMT) devices that prioritize convenience and connectivity over robust security controls.
CISA has not yet confirmed whether WHILL has developed patches or mitigations for CVE-2025-14346.
Users of affected wheelchairs should contact WHILL directly for security updates and consider limiting Bluetooth connectivity when not actively using companion applications.
Healthcare facilities should assess their deployments and implement additional physical security measures to prevent unauthorized Bluetooth access near patient areas.
The advisory (ICSMA-25-364-01) was published on December 30, 2025, as part of CISA’s ongoing efforts to secure industrial control systems and medical devices against emerging threats.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.