CVE-2025-32875 identifies a significant security vulnerability in the COROS Android application (up to version 3.8.12) that manages communication with COROS smartwatches via Bluetooth Low Energy (BLE). The core issue stems from the application's failure to initiate or enforce Bluetooth pairing and bonding processes, which are critical for establishing a secure and encrypted communication channel between the smartwatch and the Android device. Additionally, the smartwatch itself does not enforce pairing and bonding requirements. Consequently, data transmitted over BLE remains unencrypted and vulnerable to interception by any attacker within Bluetooth range. Even if a user manually initiates pairing and bonding through the Android system settings, the COROS application disregards this and continues to transmit data without requiring the watch to be bonded. This fallback behavior exacerbates the risk by enabling attackers to perform active man-in-the-middle (MITM) attacks, where they can intercept, modify, or inject malicious data into the communication stream. The vulnerability affects all versions of the COROS Android app through 3.8.12 and impacts the confidentiality and integrity of data exchanged between the smartwatch and the paired device. No patches or mitigations have been officially released at the time of publication, and no known exploits have been reported in the wild. However, the ease of exploitation due to the lack of encryption and authentication mechanisms makes this a critical concern for users relying on COROS smartwatches for sensitive data transmission.

For European organizations, especially those in sectors where wearable technology is used for health monitoring, fitness tracking, or workforce management, this vulnerability poses a substantial risk. The unencrypted BLE communication can lead to unauthorized disclosure of sensitive personal or operational data, potentially violating data protection regulations such as GDPR. Attackers within physical proximity could eavesdrop on or manipulate data streams, undermining trust in the device and potentially leading to operational disruptions or privacy breaches. Organizations using COROS devices in corporate wellness programs or employee monitoring could face reputational damage and legal consequences if sensitive employee data is compromised. Moreover, the possibility of active MITM attacks introduces risks of data tampering, which could affect decision-making processes based on inaccurate or maliciously altered data. The vulnerability also raises concerns for sectors like healthcare, where wearable devices might transmit critical biometric data. The lack of encryption and authentication could expose patient data to interception, contravening strict European health data protection laws. Overall, the vulnerability threatens confidentiality, integrity, and availability of data transmitted via COROS smartwatches, with potential cascading effects on organizational security posture and compliance obligations.

Given the absence of an official patch, European organizations and users should adopt several practical measures to mitigate this vulnerability: 1) Disable Bluetooth connectivity for COROS devices when not in active use to minimize exposure. 2) Avoid using COROS smartwatches for transmitting sensitive or confidential information until a secure update is released. 3) Monitor for updates from COROS and apply patches promptly once available. 4) Employ physical security controls to restrict unauthorized individuals from gaining Bluetooth proximity to devices, such as secure storage or restricted access zones. 5) Use network-level monitoring tools to detect anomalous BLE activity or potential MITM attempts in environments where COROS devices are deployed. 6) Consider deploying alternative wearable solutions with verified secure BLE implementations for critical use cases. 7) Educate users on the risks of unencrypted BLE communication and encourage vigilance regarding device pairing and bonding status. 8) For organizations with mobile device management (MDM) solutions, enforce policies that restrict or monitor the installation and use of vulnerable COROS app versions. These targeted mitigations go beyond generic advice by focusing on operational controls, user awareness, and proactive monitoring tailored to the specific nature of the vulnerability.