CVE-2025-48706 – An out-of-bounds read vulnerability in COROS PA... (How to Fix)

Q: What is the severity of CVE-2025-48706?

CVE-2025-48706 has a CVSS score of 9.1 (CRITICAL). An out-of-bounds read vulnerability in COROS PACE 3 devices allows attackers to cause denial of service by sending crafted BLE messages that force device reboots. This affects COROS PACE 3 smartwatch users with firmware versions up to 3.0808.0. Attackers within Bluetooth range can exploit this vulnerability without authentication.

📋 TL;DR

An out-of-bounds read vulnerability in COROS PACE 3 devices allows attackers to cause denial of service by sending crafted BLE messages that force device reboots. This affects COROS PACE 3 smartwatch users with firmware versions up to 3.0808.0. Attackers within Bluetooth range can exploit this vulnerability without authentication.

💻 Affected Systems

Products:

COROS PACE 3

Versions: through 3.0808.0

Operating Systems: COROS proprietary firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Bluetooth functionality must be enabled for exploitation. All devices with vulnerable firmware are affected when BLE is active.

📦 What is this software?

Coros Pace 3 Firmware by Yftech

View all CVEs affecting Coros Pace 3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent denial of service rendering the device unusable through repeated reboots, potentially causing data loss or disrupting fitness tracking functionality.

🟠

Likely Case

Temporary device reboots disrupting active workouts, losing unsynced data, and causing inconvenience to users.

🟢

If Mitigated

Minimal impact if Bluetooth is disabled or device is not in range of attackers, though functionality would be reduced.

🌐 Internet-Facing: LOW - Exploitation requires physical proximity via Bluetooth Low Energy, not internet connectivity.

🏢 Internal Only: MEDIUM - Attackers must be within Bluetooth range (~10 meters), making it a localized but accessible threat in public spaces.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The advisory includes technical details that could facilitate exploitation. Attack requires BLE-capable device and knowledge of the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 3.0808.0

Vendor Advisory: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-028.txt

Restart Required: Yes

Instructions:

1. Open COROS app on paired smartphone. 2. Navigate to device settings. 3. Check for firmware updates. 4. Install available update. 5. Ensure device remains connected during update process.

🔧 Temporary Workarounds

Disable Bluetooth

all

Turn off Bluetooth functionality to prevent BLE message reception

Settings > Connectivity > Bluetooth > Toggle Off

Limit Bluetooth Visibility

all

Set device to non-discoverable mode to reduce attack surface

Settings > Connectivity > Bluetooth Visibility > Hidden

🧯 If You Can't Patch

Keep Bluetooth disabled except when actively syncing data
Avoid using device in public areas where attackers might be present

🔍 How to Verify

Check if Vulnerable:

Check firmware version in COROS app: Device Settings > About > Firmware Version. If version is 3.0808.0 or earlier, device is vulnerable.

Check Version:

COROS app: Device Settings > About > Firmware Version

Verify Fix Applied:

After update, verify firmware version is higher than 3.0808.0. Test by attempting to use Bluetooth functionality normally.

📡 Detection & Monitoring

Log Indicators:

Unexpected device reboots
Bluetooth connection drops
Error logs mentioning BLE processing

Network Indicators:

Unusual BLE traffic patterns
Malformed BLE packets from unknown sources

SIEM Query:

Not applicable - consumer device without enterprise logging capabilities

📊 Metadata

CVE ID: CVE-2025-48706

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-125

EPSS Score: 0.09% exploit probability (25.8th percentile)

Published: June 20, 2025

Last Updated: July 8, 2025

🔗 References

https://syss.de Third Party Advisory
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-028.txt Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-48706, you might also want to check these: