What is the CVSS score of EUVD-2025-19014?

EUVD-2025-19014 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Bluetooth are affected by EUVD-2025-19014?

COROS PACE 3 smartwatch devices (firmware through 3.0808.0) contain a critical Bluetooth vulnerability allowing unauthorized remote access without authentication.

Is there a public PoC exploit available for EUVD-2025-19014?

Yes, a public proof-of-concept exploit is available for EUVD-2025-19014. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate EUVD-2025-19014?

Within 24 hours: Identify and inventory all COROS PACE 3 devices in use across the organization and assess business criticality. Within 7 days: Disable Bluetooth on affected devices until patched, or restrict device use to controlled environments where unauthorized BLE connections are infeasible; communicate guidance to affected users. Within 30 days: Monitor COROS for patch availability and establish a process for rapid firmware deployment upon release; consider alternative device models if patches are not forthcoming.

Bluetooth EUVD-2025-19014

| CVE-2025-32879 HIGH

Improper Authentication (CWE-287)

2025-06-20 cve@mitre.org

Authentication Bypass Bluetooth Information Disclosure Coros Pace 3 Firmware

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 00:19 euvd

EUVD-2025-19014

Analysis Generated

Mar 15, 2026 - 00:19 vuln.today

PoC Detected

Jul 08, 2025 - 14:32 vuln.today

Public exploit code

CVE Published

Jun 20, 2025 - 14:15 nvd

HIGH 8.8

DescriptionCVE.org

An issue was discovered on COROS PACE 3 devices through 3.0808.0. It starts advertising if no device is connected via Bluetooth. This allows an attacker to connect with the device via BLE if no other device is connected. While connected, none of the BLE services and characteristics of the device require any authentication or security level. Therefore, any characteristic, depending on their mode of operation (read/write/notify), can be used by the connected attacker. This allows, for example, configuring the device, sending notifications, resetting the device to factory settings, or installing software.

AnalysisAI

CVE-2025-32879 is a security vulnerability (CVSS 8.8) that allows an attacker. Risk factors: public PoC available.

Technical ContextAI

CWE-287 (Improper Authentication). CVSS 8.8 indicates high severity.

RemediationAI

Monitor vendor channels for patch availability. Restrict network access to affected components and enable MFA as interim mitigation.

EUVD-2025-19014 vulnerability details – vuln.today

Back

Bluetooth EUVD-2025-19014

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code