Critical Vulnerability Allows Bluetooth Takeover of WHILL Electric Wheelchairs
A critical vulnerability has been identified in certain models of WHILL electric wheelchairs that could be exploited by an attacker within Bluetooth range to gain control of the wheelchairs, thereby putting the wheelchair user’s health and safety at risk. WHILL is a Japanese manufacturer of electric wheelchairs and power chairs, which are issued by healthcare providers and purchased directly by consumers.
The vulnerability is tracked as CVE-2025-14346 and is due to missing authentication for Bluetooth connections. An attacker within Bluetooth range (up to approximately 30 feet) could pair their device with a vulnerable wheelchair and issue movement commands, change configuration profiles, and override speed controls without authentication or user interaction. The vulnerability was identified by security researchers at QED Secure Solutions, who reported the vulnerability to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The vulnerability affects all versions of WHILL Model C2 Electric Wheelchairs and Model F Power Chairs, and has been assigned a CVSS v 3.1 base score of 9.8 out of 10. WHILL deployed mitigations on December 29, 2025.
These measures include:
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
- Device-side speed profile protection
- Firmware update to prevent unauthorized modification of speed profiles from the mobile application
- Unlock command restriction during motion
- Blocking of unlock commands issued from the mobile app or smart key while the wheelchair is in motion
- Application JSON obfuscation
- Obfuscation of the configuration files used by the mobile application by converting JSON files into a binary format on the Android and iOS platforms.
Users should contact WHILL customer support for further information.
