CVE-2025-48705

| EUVD-2025-18747 HIGH
2025-06-20 [email protected]
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-18747
PoC Detected
Jul 08, 2025 - 14:32 vuln.today
Public exploit code
CVE Published
Jun 20, 2025 - 14:15 nvd
HIGH 7.5

Tags

Denial Of Service Coros Pace 3 Firmware

Description

An issue was discovered in COROS PACE 3 through 3.0808.0. Due to a NULL pointer dereference vulnerability, sending a crafted BLE message forces the device to reboot.

Analysis

CVE-2025-48705 is a NULL pointer dereference vulnerability in COROS PACE 3 smartwatch (versions 3.0 through 3.0808.0) that allows unauthenticated remote attackers to trigger a device reboot by sending a specially crafted Bluetooth Low Energy (BLE) message. The vulnerability results in denial of service with no additional privileges required, affecting the availability of the device. Given the CVSS 7.5 score and remote/network attack vector over BLE, this poses a significant nuisance risk to users, though impact is limited to device unavailability rather than data compromise.

Technical Context

The vulnerability exists in the COROS PACE 3 smartwatch firmware's BLE message handling subsystem. The root cause is classified under CWE-476 (NULL Pointer Dereference), indicating insufficient input validation or null-checking before dereferencing a pointer in the BLE protocol stack. BLE (Bluetooth Low Energy) operates at AV:N (network-adjacent attack surface), making it remotely exploitable from any device within Bluetooth range (~100 meters depending on antenna strength). The firmware versions 3.0 through 3.0808.0 contain the defective code path; when a malformed or unexpected BLE message structure reaches the vulnerable function, the firmware attempts to access memory at a NULL address, causing an unhandled exception that forces a device reboot. The CPE identifier would be cpe:2.3:o:coros:pace_3_firmware:*:*:*:*:*:*:*:* with version constraints >=3.0 AND <=3.0808.0.

Affected Products

COROS PACE 3 smartwatch - Firmware versions 3.0.0 through 3.0808.0 (inclusive). The vulnerability affects all COROS PACE 3 units running these firmware versions. Related COROS PACE 3 hardware SKUs with vulnerable firmware releases are in scope. There is no indication that other COROS models (PACE 2, VERTIX, APEX) are affected based on the CVE description. CPE: cpe:2.3:o:coros:pace_3_firmware:3.0.*:*:*:*:*:*:*:* and cpe:2.3:o:coros:pace_3_firmware:3.0[0-7]*.0:*:*:*:*:*:*:*

Remediation

Immediate action: COROS should release a patched firmware version (3.0809.0 or later) that implements proper NULL pointer validation and input sanitization in the BLE message handler. Users should: (1) Check for firmware updates in the COROS app and install the latest available version immediately upon release; (2) Temporarily minimize BLE exposure by keeping the device in airplane mode or disabling BLE when not actively needed, though this negates smartwatch functionality; (3) Keep the device in a secure location to minimize unauthorized physical proximity for BLE attack initiation. Vendor remediation required: Implement bounds checking and null-pointer guards before all pointer dereferences in the BLE protocol parser; add fuzzing-based security testing to the CI/CD pipeline for BLE input handling. Monitor COROS official website and security advisories for patch release announcement. No workaround fully mitigates this without disabling the device.

Priority Score

58
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: +20

Share

CVE-2025-48705 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy