CVE-2025-48706
BaseFortify
Publication date: 2025-06-20
Last updated on: 2025-07-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yftech | coros_pace_3_firmware | to 3.0808.0 (inc) |
| yftech | coros_pace_3 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an out-of-bounds read issue in the COROS PACE 3 smartwatch (up to version 3.0808.0). It occurs when a specially crafted Bluetooth Low Energy (BLE) message is sent to the device. Specifically, sending a short packet with certain bytes causes the device's BLE processing function to miscalculate the data size, leading to reading memory beyond the intended buffer. This triggers a data abort that forces the device to reboot unexpectedly. [1]
How can this vulnerability impact me? :
Exploiting this vulnerability causes the COROS PACE 3 smartwatch to reboot unexpectedly. If the exploit occurs during an ongoing activity, it terminates the activity and results in loss of recorded data. This can disrupt the user's experience and potentially cause loss of important fitness or GPS tracking information. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to send a specially crafted BLE message to the COROS PACE 3 device, specifically writing the byte sequence `b900` followed by `0000` to the BLE characteristic with UUID "6e400002-b5a3-f393-e0a9-77656c6f6f70". A practical detection method is to use a BLE client tool or script (e.g., a Python script using the Bleak library) to connect to the device and send these crafted packets. If the device reboots unexpectedly upon receiving this message, it indicates the presence of the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding exposure of the COROS PACE 3 device to untrusted BLE connections, especially preventing unsolicited BLE messages from unknown devices. Since no fix has been released as of the advisory date, users should limit BLE connectivity or disable BLE when not in use. Monitoring for unexpected device reboots and avoiding use of the device in environments where attackers could send crafted BLE messages is recommended until a manufacturer patch is available. [1]