Coros Pace 3 Firmware
Monthly
A remote code execution vulnerability in COROS PACE 3 (CVSS 9.1). Risk factors: public PoC available.
CVE-2025-48705 is a NULL pointer dereference vulnerability in COROS PACE 3 smartwatch (versions 3.0 through 3.0808.0) that allows unauthenticated remote attackers to trigger a device reboot by sending a specially crafted Bluetooth Low Energy (BLE) message. The vulnerability results in denial of service with no additional privileges required, affecting the availability of the device. Given the CVSS 7.5 score and remote/network attack vector over BLE, this poses a significant nuisance risk to users, though impact is limited to device unavailability rather than data compromise.
COROS PACE 3 smartwatches through firmware version 3.0808.0 download firmware updates over unencrypted HTTP connections when connected to WLAN, enabling attackers to intercept, modify, or inject malicious firmware without authentication. This critical vulnerability (CVSS 9.8) affects all users of the PACE 3 device and could result in complete device compromise, data exfiltration, or persistent malware installation. No active exploitation in the wild has been confirmed at this time, but the trivial attack complexity and network accessibility make this a high-priority patch target.
CVE-2025-32879 is a security vulnerability (CVSS 8.8) that allows an attacker. Risk factors: public PoC available.
CVE-2025-32878 is a security vulnerability (CVSS 9.8). Risk factors: public PoC available.
CVE-2025-32877 is a security vulnerability (CVSS 9.8) that allows attackers. Risk factors: public PoC available.
An issue was discovered on COROS PACE 3 devices through 3.0808.0. The BLE implementation of the COROS smartwatch does not support LE Secure Connections and instead enforces BLE Legacy Pairing. In BLE Legacy Pairing, the Short-Term Key (STK) can be easily guessed. This requires knowledge of the Temporary Key (TK), which, in the case of the COROS Pace 3, is set to 0 due to the Just Works pairing method. An attacker within Bluetooth range can therefore perform sniffing attacks, allowing eavesdropping on the communication.
A remote code execution vulnerability in COROS PACE 3 (CVSS 9.1). Risk factors: public PoC available.
CVE-2025-48705 is a NULL pointer dereference vulnerability in COROS PACE 3 smartwatch (versions 3.0 through 3.0808.0) that allows unauthenticated remote attackers to trigger a device reboot by sending a specially crafted Bluetooth Low Energy (BLE) message. The vulnerability results in denial of service with no additional privileges required, affecting the availability of the device. Given the CVSS 7.5 score and remote/network attack vector over BLE, this poses a significant nuisance risk to users, though impact is limited to device unavailability rather than data compromise.
COROS PACE 3 smartwatches through firmware version 3.0808.0 download firmware updates over unencrypted HTTP connections when connected to WLAN, enabling attackers to intercept, modify, or inject malicious firmware without authentication. This critical vulnerability (CVSS 9.8) affects all users of the PACE 3 device and could result in complete device compromise, data exfiltration, or persistent malware installation. No active exploitation in the wild has been confirmed at this time, but the trivial attack complexity and network accessibility make this a high-priority patch target.
CVE-2025-32879 is a security vulnerability (CVSS 8.8) that allows an attacker. Risk factors: public PoC available.
CVE-2025-32878 is a security vulnerability (CVSS 9.8). Risk factors: public PoC available.
CVE-2025-32877 is a security vulnerability (CVSS 9.8) that allows attackers. Risk factors: public PoC available.
An issue was discovered on COROS PACE 3 devices through 3.0808.0. The BLE implementation of the COROS smartwatch does not support LE Secure Connections and instead enforces BLE Legacy Pairing. In BLE Legacy Pairing, the Short-Term Key (STK) can be easily guessed. This requires knowledge of the Temporary Key (TK), which, in the case of the COROS Pace 3, is set to 0 due to the Just Works pairing method. An attacker within Bluetooth range can therefore perform sniffing attacks, allowing eavesdropping on the communication.