CVE-2025-32875

Name of the Vulnerable Software and Affected Versions: COROS application versions 3.8.12 and earlier

Description: The issue concerns the COROS application's handling of Bluetooth pairing and bonding. The application does not initiate or enforce pairing and bonding, and the watch also does not enforce these security measures. As a result, data transmitted via Bluetooth Low Energy (BLE) remains unencrypted, allowing attackers within range to intercept the communication. Even if a user manually initiates pairing and bonding in the Android settings, the application continues to transmit data without requiring the watch to be bonded, enabling attackers to exploit the communication. This could be used to conduct an active machine-in-the-middle attack.

Recommendations: For versions 3.8.12 and earlier, as a temporary workaround, consider disabling Bluetooth functionality in the COROS application until a patch is available. Restrict access to sensitive data transmitted via BLE to minimize the risk of exploitation. Avoid using the COROS application for sensitive communications until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.