CVE-2025-14346

CRITICAL
2026-01-05 [email protected]
Authentication Bypass
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 05, 2026 - 16:15 nvd
CRITICAL 9.8

DescriptionNVD

WHILL Model C2 Electric Wheelchairs and Model F Power Chairs do not enforce authentication for Bluetooth connections. An attacker within range can pair with the device and issue movement commands, override speed restrictions, and manipulate configuration profiles without any credentials or user interaction.

AnalysisAI

WHILL Model C2 electric wheelchairs and Model F power chairs accept Bluetooth connections without authentication. An attacker within Bluetooth range can pair with the device and issue movement commands, override speed restrictions, and change configuration – creating a direct physical safety hazard for the user.

Technical ContextAI

The Bluetooth interface lacks any authentication mechanism (CWE-306). An attacker within radio range (~10-100m depending on Bluetooth class) can pair with the wheelchair and send commands as if they were the legitimate user. This includes movement control, speed limit overrides, and profile manipulation.

Affected ProductsAI

WHILL Model C2 Electric Wheelchairs, WHILL Model F Power Chairs

RemediationAI

No patch available. Users should disable Bluetooth when not needed. WHILL should implement Bluetooth authentication in firmware updates. Consider using in low-risk environments only.

Share

CVE-2025-14346 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy