CISA Warns of Critical WHILL Wheelchair Bluetooth Flaw

CISA issued an advisory this week warning of a critical vulnerability in WHILL electric wheelchairs that could allow attackers to seize complete control of the devices via Bluetooth. The flaw affects the Model C2 Electric Wheelchair and Model F Power Chair, with no authentication required to exploit it.

The Vulnerability

CVE-2025-14346 stems from missing authentication for critical functions in the wheelchair's Bluetooth interface. Any attacker within Bluetooth range—typically 10 to 30 meters depending on environmental factors—can connect to the wheelchair and issue commands without any form of authorization or physical access.

The vulnerability has been assigned a CVSS score of 9.8 out of 10, classifying it as critical severity. This score reflects the ease of exploitation and the potential for physical harm. Unlike most critical vulnerabilities we cover involving server infrastructure or software flaws, this one has direct physical safety implications.

What Can Attackers Do?

According to the CISA advisory, successful exploitation grants complete control over wheelchair movement and speed. An attacker could:

1. Start or stop the wheelchair without user input
2. Change direction while the chair is in motion
3. Modify speed settings beyond safe limits
4. Override user controls entirely

The attack requires only proximity—no credentials, no pairing authorization, no prior access to the device. This makes it trivially exploitable in public spaces where wheelchair users frequent.

Affected Products

The vulnerability affects:

• WHILL Model C2 - A popular consumer mobility device marketed for indoor and outdoor use
• WHILL Model F - A foldable power chair designed for travel

WHILL has not disclosed how many devices are currently deployed, but the company operates in North America, Europe, and Asia with significant market presence in the mobility aid sector.

Why This Matters

Medical device security has become a growing concern as manufacturers rush to add connected features without implementing adequate security controls. The CISA advisory on BRICKSTORM backdoors released last month highlighted the agency's increased focus on critical infrastructure threats—medical devices fall squarely into that category.

This isn't the first time connected mobility devices have raised security alarms. In 2018, researchers demonstrated remote exploitation of insulin pumps, leading to FDA recalls. The difference here is the directness of the attack vector: Bluetooth range, zero authentication, full control.

The vulnerability also highlights a broader pattern in IoT security. Manufacturers continue to implement wireless connectivity without basic protections like device authentication or encrypted command channels. When the device in question can move at speeds capable of causing injury, this negligence becomes a safety issue rather than merely a security one.

The growing concern over connected device security has driven significant investment—ServiceNow's $7.75 billion acquisition of Armis reflects the industry's recognition that IoT and medical device security requires specialized capabilities beyond traditional endpoint protection.

Mitigation Steps

WHILL has released firmware updates to address the vulnerability. Users should:

1. Check firmware version through the WHILL mobile app
2. Apply available updates immediately
3. Disable Bluetooth when not actively using connected features
4. Avoid updating in public spaces where an attacker could intercept the process

Organizations managing WHILL devices in healthcare settings should coordinate with their medical device security teams to ensure updates are deployed across all units. Given the ease of exploitation, leaving devices unpatched creates unacceptable risk.

For more guidance on medical device security practices, see our online safety tips guide.

The Bigger Picture

CISA's advisory on a consumer mobility device signals the agency is broadening its scope beyond traditional IT infrastructure. The Known Exploited Vulnerabilities Catalog, which typically tracks actively exploited software flaws, now includes entries with remediation deadlines extending into January 2026 for various device categories.

This represents a shift in how we think about vulnerability management. When the vulnerable "system" is a wheelchair someone depends on for mobility, patching becomes a logistical challenge. Users may not have the technical awareness to check for updates. Healthcare facilities may lack processes for medical device firmware management.

The CVSS 9.8 score is warranted. A vulnerability that requires no authentication, works at range, and provides full device control would score similarly on a server—and servers don't move at 6 mph carrying their operators.