The vulnerability identified as CVE-2025-14346 affects all versions of the WHILL Model C2 Electric Wheelchair and Model F Power Chairs. The core issue is the absence of authentication enforcement for Bluetooth connections, categorized under CWE-306 (Missing Authentication for Critical Function). This means that any attacker within Bluetooth range can pair with the wheelchair without needing credentials or user interaction. Once paired, the attacker can issue arbitrary movement commands, override speed restrictions, and manipulate configuration profiles. This lack of authentication severely compromises the integrity and availability of the device's control functions and threatens user safety. The CVSS 3.1 score of 9.8 indicates a critical severity with network attack vector, no required privileges, no user interaction, and full impact on confidentiality, integrity, and availability. The vulnerability was reserved in December 2025 and published in January 2026. No patches or firmware updates have been released yet, and no known exploits are reported in the wild. The vulnerability is particularly dangerous because it targets medical assistive devices used by vulnerable populations, potentially leading to physical harm or loss of mobility. The Bluetooth protocol's inherent short-range nature limits the attack surface but does not eliminate risk in crowded or public environments. The lack of authentication is a fundamental design flaw that requires urgent remediation by the vendor.

For European organizations, especially healthcare providers, rehabilitation centers, and assisted living facilities using WHILL electric wheelchairs, this vulnerability poses a significant safety risk. Attackers could remotely control wheelchairs, causing physical harm to users or disrupting mobility services. The confidentiality of user data stored or transmitted via the device could also be compromised. The integrity of device settings can be manipulated, potentially disabling safety features like speed limits. Availability is at risk as attackers could render devices unusable or cause erratic behavior. This could lead to liability issues, reputational damage, and regulatory scrutiny under EU medical device and data protection regulations (e.g., MDR, GDPR). The vulnerability also raises concerns about the security of IoT and medical devices in Europe, emphasizing the need for stricter security standards. The lack of patches means organizations must rely on interim mitigations, increasing operational complexity. The threat is heightened in densely populated urban areas and healthcare institutions with many such devices in use.

Immediate mitigation steps include disabling Bluetooth connectivity on the affected wheelchairs when not in use to reduce the attack surface. Physical security controls should be enhanced to prevent unauthorized proximity to devices, such as secure storage when not in use. Organizations should implement strict access controls and monitoring around wheelchair usage areas. Vendor engagement is critical; organizations must demand prompt firmware updates or patches that enforce proper authentication for Bluetooth connections. Until patches are available, consider deploying Bluetooth signal jamming or shielding solutions in sensitive environments, where legally permissible. Training staff and users to recognize suspicious device behavior and report anomalies is essential. Incident response plans should be updated to include scenarios involving compromised mobility devices. Procurement policies should be reviewed to prioritize devices with robust security features. Finally, collaboration with regulatory bodies to expedite vulnerability disclosure and remediation is recommended.