CVE-2025-32878
BaseFortify
Publication date: 2025-06-20
Last updated on: 2025-07-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yftech | coros_pace_3_firmware | to 3.0808.0 (inc) |
| yftech | coros_pace_3 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects COROS PACE 3 smartwatches up to firmware version 3.0808.0. The device fails to properly validate the X.509 server certificate during the TLS handshake when connecting via HTTPS to its back-end API to request firmware information. Because of this improper certificate validation, an attacker positioned as a man-in-the-middle (MITM) can use a TLS proxy with a self-signed certificate to intercept, eavesdrop on, and manipulate the HTTPS communication between the watch and the server. This allows the attacker to steal sensitive data such as the API access token of the user account. [1]
How can this vulnerability impact me? :
The vulnerability can lead to severe security impacts including the compromise of user accounts by stealing API access tokens. An attacker in a MITM position can intercept and manipulate communications between the watch and the back-end API, potentially leading to unauthorized access, data theft, and manipulation of firmware update processes. This can result in loss of confidentiality, integrity, and availability of the device and user data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTPS traffic from the COROS PACE 3 device to its back-end API, specifically looking for TLS connections where the server certificate is not properly validated. A proof of concept involves setting up a TLS proxy (e.g., stunnel or certmitm) with a self-signed certificate to intercept and analyze the HTTPS traffic. You can use network traffic analysis tools like Wireshark or tcpdump to capture traffic and look for HTTP/2 POST requests to the endpoint `/coros/ota/query` containing headers such as `Accesstoken` and JSON payload with firmware and device identifiers. Commands to capture traffic might include: `tcpdump -i <interface> host <device_ip> and port 443 -w capture.pcap` and then analyze with Wireshark. Additionally, setting up a TLS proxy to test interception can confirm the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
As of the disclosure date, no fix has been released by the manufacturer. Immediate mitigation steps include avoiding connecting the COROS PACE 3 device to untrusted or public WLAN networks where a man-in-the-middle attack could be performed. Monitoring network traffic for suspicious TLS interception attempts and limiting the device's network exposure can reduce risk. Await the manufacturer's planned fix expected by the end of 2025 and apply updates once available. [1]