CVE-2025-32875

5.7 MEDIUM
Published: June 20, 2025 Modified: April 15, 2026
View on NVD

Description

An issue was discovered in the COROS application through 3.8.12 for Android. Bluetooth pairing and bonding is neither initiated nor enforced by the application itself. Also, the watch does not enforce pairing and bonding. As a result, any data transmitted via BLE remains unencrypted, allowing attackers within Bluetooth range to eavesdrop on the communication. Furthermore, even if a user manually initiates pairing and bonding in the Android settings, the application continues to transmit data without requiring the watch to be bonded. This fallback behavior enables attackers to exploit the communication, for example, by conducting an active machine-in-the-middle attack.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://support.coros.com/hc/en-us/categories/4416357319956-Software-Updates
Source: cve@mitre.org
https://syss.de
Source: cve@mitre.org
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-025.txt
Source: cve@mitre.org

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
5.7 / 10.0
EPSS (Exploit Probability)
0.0%
13th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-287 CWE-311

Related CVEs

CVE-2026-41279 N/A
CVE-2026-41278 N/A
CVE-2026-41277 N/A
CVE-2026-41276 N/A
CVE-2026-41275 N/A