CVE-2025-32878

Name of the Vulnerable Software and Affected Versions: COROS PACE 3 versions through 3.0808.0

Description: An issue was discovered that allows an attacker to eavesdrop and manipulate HTTPS communication. The device does not validate the X.509 server certificate within the TLS handshake, enabling an attacker in an active machine-in-the-middle position to exploit this using a TLS proxy and a self-signed certificate. This could be abused to steal the API access token of the assigned user account.

Recommendations: For COROS PACE 3 versions through 3.0808.0, as a temporary workaround, consider disabling the WLAN connection function until a patch is available to validate the X.509 server certificate. Restrict access to sensitive information, such as API access tokens, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.