CVE-2025-32879

Name of the Vulnerable Software and Affected Versions: COROS PACE 3 versions 3.0808.0 and earlier

Description: An issue was discovered that allows an attacker to connect to the device via Bluetooth Low Energy (BLE) if no other device is connected. Once connected, the attacker can access the device's BLE services and characteristics without any authentication or security level, enabling them to configure the device, send notifications, reset the device to factory settings, or install software.

Recommendations: For COROS PACE 3 versions 3.0808.0 and earlier, as a temporary workaround, consider disabling the Bluetooth advertising feature when no device is connected to minimize the risk of exploitation. Restrict access to the device's BLE services and characteristics to prevent unauthorized configuration or control.