WHILL Model C2 Electric Wheelchairs and Model F Power Chairs (Update A)
Act Now9.8ICS-CERT ICSMA-25-364-01Dec 30, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Unauthenticated Bluetooth Low Energy (BLE) vulnerability in WHILL Model C2 electric wheelchairs and Model F power chairs allows an attacker within Bluetooth range to take control of the device without requiring any authentication or pairing. The vulnerability affects all firmware versions of both models. WHILL has released patched firmware: Model C2 HMI v2.24 and Model F HMI v2.25, both of which disable the BLE interface after installation.
What this means
What could happen
An attacker within Bluetooth range could remotely take control of the electric wheelchair or power chair, potentially causing the device to move unexpectedly, stop responding to user input, or navigate into hazardous situations. This poses a direct physical safety risk to the user.
Who's at risk
Healthcare facilities, assisted living centers, rehabilitation centers, and individual users of WHILL Model C2 electric wheelchairs and Model F power chairs should prioritize this update. While the advisory lists energy as the affected sector, the actual impact is to mobility device users and the facilities that operate them.
How it could be exploited
An attacker with a Bluetooth-capable device positioned within range of the wheelchair or power chair can send unauthenticated commands over the Bluetooth Low Energy (BLE) interface to take control of motor functions and steering without requiring any authentication or user interaction.
Prerequisites
- Attacker must be within Bluetooth range of the affected wheelchair (typically 10–100 meters depending on antenna and environment)
- Target device must have Bluetooth enabled (default state)
- No authentication credentials or pairing required
remotely exploitableno authentication requiredlow complexityaffects safety systemsBluetooth-enabled by default
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Model F Power Chair: vers:all/*All versionsHMI v2.25
Model C2 Electric WheelChair: vers:all/*All versionsHMI v2.24
Remediation & Mitigation
0/3
Do now
0/1WORKAROUNDIf firmware update cannot be applied immediately, disable Bluetooth on the device when not in use and keep the device in areas with restricted physical access
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate Model C2 to HMI firmware version 2.24 or later, which disables the BLE interface after installation
HOTFIXUpdate Model F to HMI firmware version 2.25 or later, which disables the BLE interface after installation
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ada2a954-7393-4fc0-9152-404af0c37a20