PatchSiren cyber security CVE debrief
CVE-2025-14346 WHILL Inc. CVE debrief
CVE-2025-14346 is a critical Bluetooth authentication issue affecting WHILL Model C2 electric wheelchairs and Model F power chairs. CISA says a nearby attacker can pair with the device and issue movement commands, override speed restrictions, and change configuration profiles without credentials or user interaction.
- Vendor
- WHILL Inc.
- Product
- Model C2 Electric WheelChair
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-30
- Original CVE updated
- 2026-03-24
- Advisory published
- 2025-12-30
- Advisory updated
- 2026-03-24
Who should care
WHILL owners and operators, caregivers, clinics, assisted living and rehabilitation facilities, biomedical/clinical engineering teams, and IT/security staff responsible for mobility-device fleets.
Technical summary
The advisory states that the affected WHILL devices do not enforce authentication for Bluetooth connections. As published by CISA, an attacker within range can pair with the device and then issue movement commands, override speed restrictions, and manipulate configuration profiles without needing credentials or user interaction. WHILL’s listed mitigations are HMI v2.24 for Model C2 and HMI v2.25 for Model F, each described as disabling the BLE interface after installation. The advisory was initially published on 2025-12-30 and Update A on 2026-03-24 revised the mitigation section.
Defensive priority
Urgent. This issue can directly affect movement control on a safety-critical device, so affected deployments should be checked and remediated quickly.
Recommended defensive actions
- Inventory any WHILL Model C2 Electric Wheelchairs and Model F Power Chairs in scope.
- Apply WHILL HMI v2.24 to Model C2 devices and HMI v2.25 to Model F devices.
- Verify that the BLE interface is disabled after installation, as described by WHILL.
- Coordinate with WHILL support if you cannot confirm firmware status or need deployment guidance.
- Use CISA ICS recommended practices to support access control, device inventory, and monitoring around affected equipment.
Evidence notes
Primary evidence comes from the CISA CSAF advisory (ICSMA-25-364-01) published 2025-12-30 and updated 2026-03-24. The advisory description states that the devices do not enforce Bluetooth authentication and that a nearby attacker can pair and issue movement commands, override speed restrictions, and manipulate configuration profiles. The remediation section lists WHILL firmware HMI v2.24 for Model C2 and HMI v2.25 for Model F, both noted as disabling the BLE interface after installation.
Official resources
-
CVE-2025-14346 CVE record
CVE.org
-
CVE-2025-14346 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the initial advisory on 2025-12-30. Update A was published on 2026-03-24 and revised the mitigation section; use the CVE publication date as the issue date.