CVE-2025-14346
Published: 05 January 2026
Description
WHILL Model C2 Electric Wheelchairs and Model F Power Chairs do not enforce authentication for Bluetooth connections. An attacker within range can pair with the device and issue movement commands, override speed restrictions, and manipulate configuration profiles without any credentials…
more
or user interaction.
Mitigating Controls (NIST 800-53 r5)AI
AC-18 mandates authentication and encryption for wireless access, directly preventing unauthorized Bluetooth pairing and command issuance in this CVE.
IA-3 requires identification and authentication of connecting devices, blocking unauthenticated Bluetooth pairing exploited by nearby attackers.
SC-40 enforces cryptographic mechanisms to protect wireless links, providing secondary mitigation against unauthorized access and manipulation over Bluetooth.
Security SummaryAI
CVE-2025-14346 is a missing authentication vulnerability (CWE-306) in the Bluetooth connections of WHILL Model C2 Electric Wheelchairs and Model F Power Chairs. These medical devices fail to enforce authentication, enabling unauthorized access over Bluetooth without requiring credentials.
An attacker within Bluetooth range can exploit this vulnerability with low complexity and no privileges or user interaction needed. Successful exploitation allows pairing with the device to issue movement commands, override speed restrictions, and manipulate configuration profiles, potentially leading to high confidentiality, integrity, and availability impacts as indicated by the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The CISA ICS Medical Advisory ICSMA-25-364-01 provides details on mitigation strategies and is available at https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-364-01.
Details
- CWE(s)