CVE-2025-32877 is a security vulnerability identified in COROS PACE 3 wearable devices running firmware versions up to 3.0808.0. The core issue arises from the device's Bluetooth Low Energy (BLE) pairing implementation. The device incorrectly identifies itself as lacking input or output capabilities, which triggers the use of the 'Just Works' pairing method. This pairing method is designed for devices without user interfaces and does not enforce any authentication or user confirmation during the pairing process. Consequently, this flaw allows an attacker to perform a man-in-the-middle (MITM) attack during the BLE pairing phase. Without authentication, an attacker can intercept, modify, or inject BLE communications between the device and its legitimate paired host. Furthermore, the vulnerability permits unauthorized interaction with the device over BLE without any prior authorization or user consent. This means that an attacker within BLE range can connect to the device, potentially accessing sensitive data or manipulating device behavior. The vulnerability affects the confidentiality and integrity of data transmitted via BLE and could also impact device availability if exploited to disrupt normal operation. No patches or firmware updates have been publicly disclosed at this time, and no known exploits are reported in the wild. The lack of authentication and the ease of exploitation due to the device's BLE behavior make this a significant security concern for users of COROS PACE 3 devices.

For European organizations, especially those in sectors such as sports, health, and fitness where COROS PACE 3 devices may be used for employee wellness programs or data collection, this vulnerability poses several risks. Confidentiality is at risk as attackers can intercept sensitive biometric or location data transmitted over BLE. Integrity is compromised since attackers can potentially inject false data or commands, leading to incorrect device behavior or misleading health metrics. Availability could be affected if attackers disrupt device connectivity or functionality. Organizations relying on these devices for operational or health monitoring purposes may face data breaches or operational disruptions. Additionally, if these devices are used in environments with sensitive information or critical infrastructure, unauthorized BLE access could be leveraged as an entry point for broader network attacks. The vulnerability also raises privacy concerns under GDPR, as unauthorized access to personal health data could lead to regulatory penalties. Given the wearable nature of the device and its proximity to users, physical security boundaries are minimal, increasing the attack surface. The lack of authentication and user interaction requirements lowers the barrier for exploitation, making it feasible for attackers in public or semi-public spaces to target these devices.

To mitigate this vulnerability, European organizations and users should: 1) Monitor COROS official channels for firmware updates or patches addressing this issue and apply them promptly once available. 2) Restrict physical proximity access to the devices by enforcing policies that limit device use in unsecured or public environments where attackers could be nearby. 3) Disable BLE connectivity on the device when not in use to reduce exposure. 4) Use companion applications or device management tools that can enforce additional authentication or monitor BLE connections for suspicious activity. 5) Educate users about the risks of unauthorized BLE connections and encourage vigilance regarding unexpected device behavior or pairing requests. 6) Consider network segmentation and endpoint security controls to limit potential lateral movement if devices are connected to corporate networks. 7) For organizations using these devices in regulated environments, conduct risk assessments and implement compensating controls such as enhanced monitoring and incident response plans focused on BLE-related threats. 8) Explore alternative devices with stronger BLE security implementations if immediate patching is not feasible.