What is the CVSS score of CVE-2025-32877?

CVE-2025-32877 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Coros Pace 3 Firmware are affected by CVE-2025-32877?

COROS PACE 3 smartwatches are vulnerable to wireless authentication bypass attacks, allowing unauthorized users to remotely access and potentially control devices through Bluetooth without any user…

Is there a public PoC exploit available for CVE-2025-32877?

Yes, a public proof-of-concept exploit is available for CVE-2025-32877. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-32877?

Within 24 hours: Identify and inventory all COROS PACE 3 devices in use across the organization and restrict their deployment in high-security areas. Within 7 days: Communicate vulnerability status to all device users, disable non-essential Bluetooth features if available, and isolate affected devices from critical networks. Within 30 days: Monitor for vendor patch availability, evaluate device replacement options, and consider removing devices from use until a security fix is available.

Coros Pace 3 Firmware CVE-2025-32877

EUVD-2025-18743 CRITICAL

Improper Authentication (CWE-287)

2025-06-20 cve@mitre.org

Information Disclosure Coros Pace 3 Firmware

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 00:19 euvd

EUVD-2025-18743

Analysis Generated

Mar 15, 2026 - 00:19 vuln.today

PoC Detected

Jul 08, 2025 - 14:32 vuln.today

Public exploit code

CVE Published

Jun 20, 2025 - 14:15 nvd

CRITICAL 9.8

DescriptionCVE.org

An issue was discovered on COROS PACE 3 devices through 3.0808.0. It identifies itself as a device without input or output capabilities, which results in the use of the Just Works pairing method. This method does not implement any authentication, which therefore allows machine-in-the-middle attacks. Furthermore, this lack of authentication allows attackers to interact with the device via BLE without requiring prior authorization.

AnalysisAI

CVE-2025-32877 is a security vulnerability (CVSS 9.8) that allows attackers. Risk factors: public PoC available.

Technical ContextAI

CWE-287 (Improper Authentication). CVSS 9.8 indicates critical severity with likely remote exploitation vector.

RemediationAI

Monitor vendor channels for patch availability. Restrict network access to affected components and enable MFA as interim mitigation.

CVE-2025-32877 vulnerability details – vuln.today

Back

Coros Pace 3 Firmware CVE-2025-32877

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code