Vulnerability Description
An issue was discovered on COROS PACE 3 devices through 3.0808.0. It implements a function to connect the watch to a WLAN. This function is mainly for downloading firmware files. Before downloading firmware files, the watch requests some information about the firmware via HTTPS from the back-end API. However, the X.509 server certificate within the TLS handshake is not validated by the device. This allows an attacker within an active machine-in-the-middle position, using a TLS proxy and a self-signed certificate, to eavesdrop and manipulate the HTTPS communication. This could be abused, for example, for stealing the API access token of the assigned user account.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Yftech | Coros Pace 3 Firmware | <= 3.0808.0 |
| Yftech | Coros Pace 3 | - |
Related Weaknesses (CWE)
References
- https://support.coros.com/hc/en-us/articles/20087694119828-COROS-PACE-3-Release-Release Notes
- https://syss.deThird Party Advisory
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-030.tExploitThird Party Advisory
FAQ
What is CVE-2025-32878?
CVE-2025-32878 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered on COROS PACE 3 devices through 3.0808.0. It implements a function to connect the watch to a WLAN. This function is mainly for downloading firmware files. Before downloading fi...
How severe is CVE-2025-32878?
CVE-2025-32878 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-32878?
Check the references section above for vendor advisories and patch information. Affected products include: Yftech Coros Pace 3 Firmware, Yftech Coros Pace 3.