CVE-2025-14346 PUBLISHED

WHILL Model C2 Electric Wheelchairs and Model F Power Chairs do not enforce authentication for Bluetooth connections. An attacker within range can pair with the device and issue movement commands, override speed restrictions, and manipulate configuration profiles without any credentials or user interaction.

WHILL has deployed the following fixes on December 29th, 2025:

Device-Side Speed Profile Protection: * Implemented a safeguard in the wheelchair firmware to prevent unauthorized modification of speed profiles from the mobile application.

Unlock Command Restriction During Motion: * Block unlock commands issued from either the mobile app or the smart key while the wheelchair is in motion.

Application JSON File Obfuscation: * Obfuscate the configuration files used by the mobile application by converting JSON files into a binary format on both Android and iOS platforms.

• Billy Rios of the Exploit Development Team - QED Secure Solutions finder
• Jesse Young of the Exploit Development Team - QED Secure Solutions finder
• Brandon Rothel of the Exploit Development Team - QED Secure Solutions finder
• Jonathan Butts of the Exploit Development Team - QED Secure Solutions finder
• Henri Hein of the Exploit Development Team - QED Secure Solutions finder
• Justin Boling of the Exploit Development Team - QED Secure Solutions finder
• Nick Kulesza of the Exploit Development Team - QED Secure Solutions finder
• Ken Natividad of the Exploit Development Team - QED Secure Solutions finder
• Carl Schuett of the Exploit Development Team - QED Secure Solutions finder

• https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-364-01

• CWE-306 Missing Authentication for Critical Function CWE