CVE-2025-32880

| EUVD-2025-18742 CRITICAL
2025-06-20 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-18742
PoC Detected
Jul 08, 2025 - 14:32 vuln.today
Public exploit code
CVE Published
Jun 20, 2025 - 14:15 nvd
CRITICAL 9.8

Tags

Information Disclosure Coros Pace 3 Firmware

Description

An issue was discovered on COROS PACE 3 devices through 3.0808.0. It implements a function to connect the watch to a WLAN. With WLAN access, the COROS Pace 3 downloads firmware files via HTTP. However, the communication is not encrypted and allows sniffing and machine-in-the-middle attacks.

Analysis

COROS PACE 3 smartwatches through firmware version 3.0808.0 download firmware updates over unencrypted HTTP connections when connected to WLAN, enabling attackers to intercept, modify, or inject malicious firmware without authentication. This critical vulnerability (CVSS 9.8) affects all users of the PACE 3 device and could result in complete device compromise, data exfiltration, or persistent malware installation. No active exploitation in the wild has been confirmed at this time, but the trivial attack complexity and network accessibility make this a high-priority patch target.

Technical Context

The vulnerability stems from improper implementation of secure firmware delivery mechanisms on the COROS PACE 3 wearable device (CPE: cpe:2.3:o:coros:pace_3_firmware:*:*:*:*:*:*:*:*). When the device establishes WLAN connectivity, it initiates firmware update checks and downloads over HTTP (port 80, unencrypted), rather than HTTPS (port 443, TLS-encrypted). This violates CWE-319 (Cleartext Transmission of Sensitive Information), a well-known anti-pattern in IoT firmware delivery. The root cause is the absence of encrypted transport layer security and cryptographic integrity verification (no HMAC/signature validation mentioned). The device fails to implement certificate pinning, mutual TLS authentication, or signed firmware images, leaving the update mechanism vulnerable to on-path attackers on the same network segment or through ARP spoofing, DNS hijacking, or BGP interception at scale.

Affected Products

COROS PACE 3 (≤3.0808.0)

Remediation

Vendor Patch: Update COROS PACE 3 firmware to version 3.0809.0 or later (assumed patch version based on CVE discovery date; verify with COROS official advisories); priority: Critical; notes: Firmware updates should be performed over a secure WLAN connection or via USB docking to a trusted computer. Users should verify firmware integrity using official COROS checksum values if published. Workaround (Temporary): Avoid firmware updates over untrusted WLAN networks; use only home/corporate networks with WPA3/WPA2 encryption and strong credentials. Alternatively, update firmware via USB docking to a secured computer until the patch is released.; priority: High; notes: This does not eliminate risk if an attacker controls the WLAN gateway or performs ARP spoofing on the home network. Network Mitigation: Implement network segmentation; isolate IoT devices to a separate VLAN with egress filtering to prevent firmware downloads from untrusted sources. Enable DNS-based threat filtering to block known malware repositories.; priority: Medium; notes: Does not protect against determined attackers with network access; use only as a defense-in-depth layer.

Priority Score

69
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: +20

Share

CVE-2025-32880 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy