CVE-2025-32876
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-20

Last updated on: 2025-07-08

Assigner: MITRE

Description
An issue was discovered on COROS PACE 3 devices through 3.0808.0. The BLE implementation of the COROS smartwatch does not support LE Secure Connections and instead enforces BLE Legacy Pairing. In BLE Legacy Pairing, the Short-Term Key (STK) can be easily guessed. This requires knowledge of the Temporary Key (TK), which, in the case of the COROS Pace 3, is set to 0 due to the Just Works pairing method. An attacker within Bluetooth range can therefore perform sniffing attacks, allowing eavesdropping on the communication.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-20
Last Modified
2025-07-08
Generated
2026-05-07
AI Q&A
2025-06-20
EPSS Evaluated
2026-05-05
NVD
CVE-2025-32876
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
yftech coros_pace_3_firmware to 3.0808.0 (inc)
yftech coros_pace_3 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability in COROS PACE 3 devices (version ≀ 3.0808.0) is due to their Bluetooth Low Energy (BLE) implementation using Legacy Pairing instead of the more secure LE Secure Connections. In Legacy Pairing, the Short-Term Key (STK) used to encrypt communication is derived from a Temporary Key (TK), which in this device is fixed to 0 because of the 'Just Works' pairing method. This makes it easy for an attacker within Bluetooth range to guess the STK and passively sniff or eavesdrop on the BLE communication between the smartwatch and other devices. [1]


How can this vulnerability impact me? :

This vulnerability allows an attacker within Bluetooth range to perform passive sniffing attacks on the COROS PACE 3 smartwatch's BLE communication. Because the encryption key can be easily guessed, sensitive data transmitted over Bluetooth could be intercepted and read by unauthorized parties, potentially leading to privacy breaches or exposure of personal information. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring BLE pairing processes to check if the device falls back to Legacy Pairing instead of using LE Secure Connections. Specifically, during the BLE Security Manager Protocol (SMP) pairing, if the device responds with Secure Connections and MITM flags disabled despite the client requesting them, it indicates the vulnerability. Commands or tools that capture and analyze BLE traffic, such as 'hcidump' or 'btmon' on Linux, can be used to sniff BLE packets and observe the pairing method. For example, running 'sudo btmon' while initiating pairing with the COROS PACE 3 device can reveal if Legacy Pairing is used. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include avoiding pairing the COROS PACE 3 device in environments where attackers could be within Bluetooth range, as the BLE Legacy Pairing with a fixed Temporary Key '0' allows passive eavesdropping. Limit Bluetooth range exposure by disabling Bluetooth when not in use and avoid using the device in public or untrusted areas. Since no fix is currently available, monitor for firmware updates from the manufacturer and apply them once released. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart