CISA Warns of WHILL Model C2 Wheelchair Vulnerabilities Allowing Remote Control

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a critical security weakness in WHILL Model C2 electric wheelchairs and WHILL Model F power chairs.

The flaw could allow a nearby attacker to take control of key Bluetooth functions, raising serious safety concerns for users in homes and healthcare facilities.

WHILL is a Japan-based mobility device maker whose products are used in the healthcare and public health sector, as well as by individual consumers worldwide.

The issue is tracked as CVE-2025-14346 and has a CVSS v3 score of 9.8, which is considered critical.

Security researchers from QED Secure Solutions found that the affected mobility devices do not enforce proper authentication for critical functions.

In simple terms, the wheelchair may accept specific control actions without verifying that the request originates from an authorized user or a trusted device.

Because the weakness is in Bluetooth communication, an attacker does not need internet access, stolen passwords, or physical access to the chair.

How an attacker could exploit it

CISA warns that an attacker within Bluetooth range (about 30 feet) could exploit the flaw without user interaction or authorization.

This wireless attack path differs from many medical device vulnerabilities, which often require access to an internal network or hands-on tampering.

If abused, the vulnerability could enable disruptive actions, such as unexpected movement changes, sudden stops, or unwanted direction changes, which can be dangerous for people with limited mobility.

Field	Details
CVE	CVE-2025-14346
Severity	CVSS v3 9.8 (Critical)
Affected products	WHILL Model C2 Electric Wheelchair, WHILL Model F Power Chair
Type	Missing Authentication for Critical Function
Attack vector	Bluetooth, short-range (around 30 feet)

CISA published the advisory ICSMA-25-364-01 on December 30, 2025. At the time of the alert, CISA had not confirmed whether WHILL had released a patch or official mitigations.

Users should contact WHILL for guidance and updates, and limit Bluetooth connectivity when companion apps are not needed.

Healthcare facilities are advised to review where these chairs are deployed and implement practical protections, such as restricting unauthorized access near patient areas, to reduce the risk of close-range Bluetooth attacks.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyber Press as a Preferred Source in Google.

The post CISA Warns of WHILL Model C2 Wheelchair Vulnerabilities Allowing Remote Control appeared first on Cyber Security News.