CVE-2025-32880

Name of the Vulnerable Software and Affected Versions: COROS PACE 3 versions through 3.0808.0

Description: An issue was discovered that allows the COROS Pace 3 to download firmware files via HTTP when connected to a WLAN, but the communication is not encrypted. This lack of encryption enables sniffing and machine-in-the-middle attacks.

Recommendations: For COROS PACE 3 versions through 3.0808.0, as a temporary workaround, consider restricting WLAN access to trusted networks until a patch is available. Avoid using the watch's WLAN connectivity feature in untrusted environments to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.