CVE-2025-14346
Bluetooth Authentication Bypass in WHILL Electric Wheelchairs Enables Remote Control
Publication date: 2026-01-05
Last updated on: 2026-01-05
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| whill | model_c2 | * |
| whill | model_f | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in WHILL Model C2 Electric Wheelchairs and Model F Power Chairs, which do not require authentication for Bluetooth connections. This means an attacker within Bluetooth range can connect to the device without credentials or user interaction and control it by issuing movement commands, overriding speed limits, and changing configuration profiles.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to take unauthorized control of the wheelchair or power chair, potentially causing unsafe movements, overriding safety speed restrictions, and altering device settings. This could lead to physical harm to the user or others, loss of device functionality, and safety risks.