A serious vulnerability could allow nearby attackers to control certain WHILL mobility devices without user interaction.
The Cybersecurity and Infrastructure Security Agency issued an advisory warning that WHILL Model C2 electric wheelchairs and Model F power chairs contain a Bluetooth vulnerability that could allow unauthorized control of the devices. The flaw, tracked as CVE-2025-14346, was assigned a CVSS score of 9.8 and stems from missing authentication for integral functions. According to CISA, an attacker within Bluetooth range could exploit the weakness without user approval, potentially taking control of steering or movement.
The vulnerability was identified by researchers from QED Secure Solutions, who found that the affected wheelchairs accept Bluetooth commands without verifying the identity of the sender. Because Bluetooth typically operates within a range of roughly thirty feet, exploitation does not require physical access to the device or a network connection. This makes the issue especially concerning in healthcare facilities and public spaces where mobility devices may be used in shared environments. The flaw affects core control functions, meaning an attacker could interfere with movement, cause abrupt stops, or redirect the wheelchair’s path.
CISA stated that the lack of authentication for integral functions creates a serious safety risk for individuals who rely on powered mobility devices. The agency said it has not confirmed whether a software update or permanent fix is currently available from the manufacturer. Until mitigations are released, users are advised to limit Bluetooth usage when not required, and healthcare organizations are encouraged to review physical security controls in patient care areas. CISA noted that the issue was responsibly disclosed and published as part of its ongoing medical device security monitoring efforts.
According to eSecurityPlanet, the issue shows a wider shift playing out across healthcare technology as more medical and assistive devices come online. The publication notes that as medical and assistive devices become more connected, they inherit many of the same security weaknesses long observed in traditional IT systems. Features like Bluetooth connectivity, cloud-linked mobile apps, and remote configuration expand the attack surface, often without equivalent investments in strong authentication, access controls, and misuse prevention.
The analysis stresses that the implications go beyond cybersecurity alone. As eSecurityPlanet puts it, “cybersecurity and patient safety are no longer separate concerns but deeply intertwined,” meaning weaknesses in connected devices can translate directly into physical risk for patients who rely on them.
It affects devices that control physical movement, meaning exploitation could result in injury or loss of mobility rather than just data exposure.
The advisory indicates that exploitation does not require advanced access, only proximity within Bluetooth range, which lowers the barrier for misuse.
Facilities where multiple devices are used in shared spaces may face greater exposure because unauthorized individuals could be within Bluetooth range.
Users may limit Bluetooth connectivity when not using companion applications, but they should consult the manufacturer to avoid disrupting normal device operation.
They should inventory affected devices, restrict physical access where possible, and monitor manufacturer communications for updates or mitigation guidance.