Home

Description

WHILL Model C2 Electric Wheelchairs and Model F Power Chairs do not enforce authentication for Bluetooth connections. An attacker within range can pair with the device and issue movement commands, override speed restrictions, and manipulate configuration profiles without any credentials or user interaction.

PUBLISHED Reserved 2025-12-09 | Published 2026-01-05 | Updated 2026-01-05 | Assigner icscert




CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status
unaffected

all
affected

Default status
unaffected

all
affected

Credits

Billy Rios of the Exploit Development Team - QED Secure Solutions finder

Jesse Young of the Exploit Development Team - QED Secure Solutions finder

Brandon Rothel of the Exploit Development Team - QED Secure Solutions finder

Jonathan Butts of the Exploit Development Team - QED Secure Solutions finder

Henri Hein of the Exploit Development Team - QED Secure Solutions finder

Justin Boling of the Exploit Development Team - QED Secure Solutions finder

Nick Kulesza of the Exploit Development Team - QED Secure Solutions finder

Ken Natividad of the Exploit Development Team - QED Secure Solutions finder

Carl Schuett of the Exploit Development Team - QED Secure Solutions finder

References

www.cisa.gov/...vents/ics-medical-advisories/icsma-25-364-01 government-resource

cve.org (CVE-2025-14346)

nvd.nist.gov (CVE-2025-14346)

Download JSON