CVE-2025-32877

Name of the Vulnerable Software and Affected Versions: COROS PACE 3 versions through 3.0808.0

Description: An issue was discovered that affects the Bluetooth pairing method of the device. It identifies itself as a device without input or output capabilities, resulting in the use of the Just Works pairing method. This method does not implement any authentication, allowing machine-in-the-middle attacks. Furthermore, this lack of authentication allows attackers to interact with the device via Bluetooth Low Energy (BLE) without requiring prior authorization.

Recommendations: For COROS PACE 3 versions through 3.0808.0, as a temporary workaround, consider restricting access to the device's BLE functionality until a patch is available. Additionally, users should be cautious when pairing their devices to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.