CVE-2025-32880
BaseFortify
Publication date: 2025-06-20
Last updated on: 2025-07-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yftech | coros_pace_3_firmware | to 3.0808.0 (inc) |
| yftech | coros_pace_3 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-319 | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in COROS PACE 3 devices involves downloading firmware files over WLAN using unencrypted HTTP connections. This means that when the watch connects to a WLAN, it fetches firmware components like GUI fonts, system OTA binaries, and Bluetooth firmware without encryption. As a result, an attacker on the same network can intercept (sniff) and manipulate the firmware data being transferred, performing man-in-the-middle attacks. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker controlling the WLAN network to eavesdrop on the firmware data being downloaded by the watch and potentially tamper with it. This could lead to unauthorized modification of the device's firmware, which might compromise device integrity, security, and functionality. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the network traffic of the COROS PACE 3 device when it is connected to WLAN. Specifically, you can capture and analyze HTTP GET requests to the host s3eu.coros.com that download firmware components such as GUI font bitmaps, system OTA binaries, and Bluetooth firmware. Using a network traffic analyzer like Wireshark, you can filter for HTTP traffic from the device's IP address to detect unencrypted firmware downloads. For example, you can use the command 'tshark -i <interface> -Y "http.request and ip.addr == <device_ip> and http.host == \"s3eu.coros.com\""' to capture relevant HTTP GET requests. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding connecting the COROS PACE 3 device to untrusted or public WLAN networks where an attacker could perform man-in-the-middle attacks. Use trusted and secure WLAN environments to reduce the risk of interception. Since the manufacturer has not implemented a fix and has no plans to address the vulnerability, users should be cautious about firmware updates over WLAN and consider disabling WLAN connectivity if possible until a secure update mechanism is available. [1]