CVE-2025-32879 – COROS PACE 3 fitness watches through version 3.... (How to Fix)

Q: What is the severity of CVE-2025-32879?

CVE-2025-32879 has a CVSS score of 8.8 (HIGH). COROS PACE 3 fitness watches through version 3.0808.0 automatically advertise via Bluetooth Low Energy when not connected to a paired device, allowing any nearby attacker to connect without authentication. Once connected, all BLE services and characteristics are accessible, enabling device configuration, notifications, factory resets, or software installation. This affects all COROS PACE 3 users who haven't updated their device firmware.

📋 TL;DR

COROS PACE 3 fitness watches through version 3.0808.0 automatically advertise via Bluetooth Low Energy when not connected to a paired device, allowing any nearby attacker to connect without authentication. Once connected, all BLE services and characteristics are accessible, enabling device configuration, notifications, factory resets, or software installation. This affects all COROS PACE 3 users who haven't updated their device firmware.

💻 Affected Systems

Products:

COROS PACE 3

Versions: through 3.0808.0

Operating Systems: Device firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable when device is not actively connected to a paired Bluetooth device (phone/app). The vulnerability exists in the default Bluetooth advertising behavior.

📦 What is this software?

Coros Pace 3 Firmware by Yftech

View all CVEs affecting Coros Pace 3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could install malicious firmware, permanently compromise the device, steal personal fitness/health data, or brick the device via factory reset.

🟠

Likely Case

Nearby attackers could connect to unattended devices, send fake notifications, change device settings, or reset the device to factory defaults.

🟢

If Mitigated

With proper Bluetooth security controls and device pairing, the attack surface is significantly reduced to only physical proximity threats.

🌐 Internet-Facing: LOW - This is a Bluetooth proximity-based attack requiring physical closeness to the device.

🏢 Internal Only: MEDIUM - Within physical proximity (offices, gyms, public spaces), attackers could exploit this if devices are left unattended and unpaired.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only standard Bluetooth tools (like gatttool, nRF Connect) and physical proximity. The SYSS advisory includes technical details of vulnerable services/characteristics.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 3.0808.0

Vendor Advisory: https://support.coros.com/hc/en-us/articles/20087694119828-COROS-PACE-3-Release-Notes

Restart Required: Yes

Instructions:

1. Open COROS app on paired smartphone. 2. Navigate to Device Settings > System Updates. 3. Check for and install available firmware updates. 4. Ensure update completes and device restarts. 5. Verify firmware version is above 3.0808.0.

🔧 Temporary Workarounds

Maintain Active Bluetooth Connection

all

Keep device constantly connected to paired smartphone via COROS app to prevent vulnerable advertising state.

Disable Bluetooth When Not in Use

all

Turn off Bluetooth on the PACE 3 device when not actively syncing or using connected features.

🧯 If You Can't Patch

Never leave device unattended in public spaces where Bluetooth range attackers could be present.
Ensure device is always paired and connected to your smartphone when in use to prevent vulnerable advertising state.

🔍 How to Verify

Check if Vulnerable:

Check device firmware version in COROS app: Device Settings > About Device. If version is 3.0808.0 or lower, device is vulnerable.

Check Version:

No CLI command - check via COROS mobile app: Device Settings > About Device

Verify Fix Applied:

Confirm firmware version is above 3.0808.0 in COROS app. Test with Bluetooth scanner: device should not advertise when not connected to paired device.

📡 Detection & Monitoring

Log Indicators:

Unexpected Bluetooth connections in device logs
Unauthorized configuration changes

Network Indicators:

Unexpected BLE connections to PACE 3 devices
Bluetooth scanning detecting vulnerable advertising behavior

SIEM Query:

Not applicable - this is a physical proximity Bluetooth attack not typically logged in enterprise SIEM systems.

📊 Metadata

CVE ID: CVE-2025-32879

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

EPSS Score: 0.06% exploit probability (19.5th percentile)

Published: June 20, 2025

Last Updated: July 8, 2025

🔗 References

https://support.coros.com/hc/en-us/articles/20087694119828-COROS-PACE-3-Release-Notes Release Notes
https://syss.de Third Party Advisory
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-026.txt Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32879, you might also want to check these: