CVE-2025-32875 in App
Summary
by MITRE • 06/20/2025
An issue was discovered in the COROS application through 3.8.12 for Android. Bluetooth pairing and bonding is neither initiated nor enforced by the application itself. Also, the watch does not enforce pairing and bonding. As a result, any data transmitted via BLE remains unencrypted, allowing attackers within Bluetooth range to eavesdrop on the communication. Furthermore, even if a user manually initiates pairing and bonding in the Android settings, the application continues to transmit data without requiring the watch to be bonded. This fallback behavior enables attackers to exploit the communication, for example, by conducting an active machine-in-the-middle attack.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/20/2025
The vulnerability described in CVE-2025-32875 represents a critical security flaw in the COROS application version 3.8.12 and earlier for Android devices. This issue stems from a fundamental failure in the Bluetooth security implementation where the application neither initiates nor enforces Bluetooth pairing and bonding processes. The absence of proper authentication mechanisms creates a significant attack surface that compromises the confidentiality of data transmitted between the mobile application and the wearable device. This weakness directly violates established security protocols for wireless communication and exposes users to various forms of cyber attacks.
The technical flaw manifests as a complete lack of Bluetooth security enforcement at both application and device levels. The COROS application fails to implement proper Bluetooth security procedures that should be mandatory for any device communicating over BLE protocols. According to CWE-310, this represents a weakness in cryptographic key generation and management where the system does not properly establish secure communication channels. The vulnerability specifically impacts the Bluetooth Low Energy security model by bypassing the required pairing and bonding procedures that normally establish encrypted communication channels between devices. Even when users manually initiate the pairing process through Android settings, the application continues to transmit data without enforcing the bonded connection state, creating a persistent security gap.
The operational impact of this vulnerability extends beyond simple data eavesdropping to enable sophisticated attack vectors including active man-in-the-middle attacks. Attackers within Bluetooth range can exploit the unencrypted communication channel to intercept, modify, or inject malicious data into the communication stream. This poses significant risks to user privacy and device integrity, particularly since the wearable device likely handles sensitive health and location data. The vulnerability creates a persistent threat that remains active as long as the device is within Bluetooth range, making it particularly dangerous for users who frequently use the device in public spaces. This aligns with ATT&CK technique T1566 which describes social engineering attacks that can be facilitated through compromised communication channels.
Mitigation strategies should focus on implementing proper Bluetooth security enforcement mechanisms within the application code. The COROS application must be updated to enforce mandatory pairing and bonding procedures before any data transmission occurs, and it should verify the bonded state of the connection before transmitting sensitive information. Device-side security measures should include enforcing the requirement for authenticated connections and rejecting data transmission attempts from unpaired devices. Network administrators and security teams should also implement monitoring solutions to detect anomalous Bluetooth communication patterns that might indicate exploitation attempts. Additionally, users should be educated about the risks of using unsecured Bluetooth connections and the importance of maintaining proper device security settings. The fix should align with security standards such as NIST SP 800-171 for protecting sensitive information in non-federal systems and should incorporate proper cryptographic protocols for secure device communication.