Full Report
Security researchers have demonstrated a critical vulnerability in high-tech electric wheelchairs that allows for unauthorized remote control, highlighting new safety risks for connected mobility devices. On December 30, the US cybersecurity agency CISA published an advisory to inform the public about a serious vulnerability discovered by researchers in electric wheelchairs made by WHILL, a Japan-based…
Analysis Summary
# Vulnerability: Critical Remote Control Flaw in WHILL Electric Wheelchairs
## CVE Details
- CVE ID: CVE-2025-14346
- CVSS Score: N/A (Critical Severity Rating stated, specific score not provided in text)
- CWE: Missing Authentication (Inferred from description)
## Affected Systems
- Products: WHILL Model C2 electric wheelchairs, WHILL Model F electric wheelchairs
- Versions: Unspecified, but covered by the CISA advisory dated December 30.
- Configurations: N/A
## Vulnerability Description
Security researchers discovered a critical missing authentication vulnerability in specific models of WHILL electric wheelchairs. This flaw allows an unauthorized remote attacker to gain unauthorized remote control over the mobility device, posing a significant safety risk to the user.
## Exploitation
- Status: Researchers have demonstrated the vulnerability (PoC available/Demonstrated).
- Complexity: Low (Implied by remote control capability and critical rating, though not explicitly stated).
- Attack Vector: Network (Implied by "remote control").
## Impact
- Confidentiality: Potential (If data access is possible, though focus is physical safety)
- Integrity: **High** (Unauthorized remote control fundamentally compromises the device's controlled operation)
- Availability: **High** (Remote control can render the device unusable or cause forced movement)
## Remediation
### Patches
- Remediation details (specific patch versions) are not provided in the text, but CISA guidance suggests vendor action is necessary.
### Workarounds
- No specific workarounds are detailed in the summary text.
## Detection
- No specific Indicators of Compromise (IOCs) or detection methods are detailed in the summary text. Detection would involve monitoring wireless communication channels associated with the wheelchair control system for unauthorized commands.
## References
- Vendor advisories: CISA ICS Medical Advisory ICSMA-25-364-01
- Relevant links - defanged: hxxps://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-364-01