CVE-2025-32879 in PACE 3info

Summary

by MITRE • 06/20/2025

An issue was discovered on COROS PACE 3 devices through 3.0808.0. It starts advertising if no device is connected via Bluetooth. This allows an attacker to connect with the device via BLE if no other device is connected. While connected, none of the BLE services and characteristics of the device require any authentication or security level. Therefore, any characteristic, depending on their mode of operation (read/write/notify), can be used by the connected attacker. This allows, for example, configuring the device, sending notifications, resetting the device to factory settings, or installing software.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/24/2025

The COROS PACE 3 device presents a critical security vulnerability in its Bluetooth Low Energy implementation that fundamentally undermines the device's operational integrity and user safety. This vulnerability affects firmware versions through 3.0808.0 and stems from a design flaw where the device automatically begins advertising when no active Bluetooth connection exists. The device's failure to enforce proper authentication mechanisms during the BLE connection phase creates an exploitable entry point that allows unauthorized attackers to establish connections without any form of security verification. This behavior directly violates fundamental security principles that require authentication and authorization before granting access to device functionalities. The vulnerability operates at the network level and represents a significant weakness in the device's security architecture, as it enables passive attack vectors that do not require active user interaction or physical proximity beyond the BLE range.

The technical flaw manifests through the absence of required security levels for all BLE services and characteristics when a connection is established. This configuration creates a scenario where any authenticated or unauthenticated attacker who successfully connects to the device can manipulate any characteristic regardless of its intended operational mode. The vulnerability enables attackers to perform a wide range of malicious activities including device configuration changes, notification manipulation, factory reset operations, and even firmware installation processes. The lack of access control lists or privilege verification mechanisms means that all BLE characteristics are exposed to potential exploitation, creating a comprehensive attack surface that can be leveraged for complete device compromise. This vulnerability directly maps to CWE-310, which addresses cryptographic weaknesses, and specifically relates to the absence of proper authentication and authorization controls in the BLE stack implementation.

The operational impact of this vulnerability extends far beyond simple data exposure, as it allows for complete device control and potential compromise of user data and safety. An attacker who establishes a connection can effectively take control of the device's operational parameters, potentially altering GPS tracking settings, modifying user preferences, or disabling critical safety features during outdoor activities. The ability to reset the device to factory settings creates a persistent threat vector where an attacker can repeatedly compromise the device and restore it to a known vulnerable state. Firmware installation capabilities present the most severe risk, as they enable attackers to install malicious software or backdoors that could persist across device reboots and updates. This vulnerability particularly affects outdoor and fitness applications where device reliability and data integrity are paramount, creating potential safety risks for users relying on accurate tracking and operational functionality.

Security mitigations for this vulnerability should focus on implementing proper BLE security mechanisms including mandatory authentication, encryption, and access control enforcement. Device manufacturers should implement secure pairing protocols that require user interaction before establishing connections and enforce minimum security levels for all BLE services. The device should be configured to disable automatic advertising when connected to authorized devices and implement connection timeout mechanisms to prevent unauthorized access. Network segmentation and device isolation techniques should be employed to limit the attack surface and prevent lateral movement if a device is compromised. Additionally, regular security audits and penetration testing should be conducted to identify and remediate similar vulnerabilities in the device's communication stack. The implementation of these controls aligns with ATT&CK framework tactics related to initial access and privilege escalation, ensuring that the device maintains proper security boundaries and prevents unauthorized modification of critical operational parameters.

Responsible

MITRE

Reservation

04/11/2025

Disclosure

06/20/2025

Moderation

accepted

CPE

ready

EPSS

0.00466

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!