CVE-2025-32878 is a security vulnerability identified in COROS PACE 3 smartwatches up to firmware version 3.0808.0. The vulnerability arises from improper validation of the X.509 server certificate during the TLS handshake when the device connects to a WLAN to download firmware updates. Specifically, the device does not verify the authenticity of the server certificate, allowing an attacker positioned as a man-in-the-middle (MitM) to intercept and manipulate HTTPS communications by presenting a self-signed or otherwise invalid certificate. This flaw enables the attacker to eavesdrop on sensitive data exchanged between the watch and the backend API, including the potential theft of API access tokens associated with user accounts. These tokens could then be used to impersonate the user or gain unauthorized access to backend services. The vulnerability affects the confidentiality and integrity of the communication channel and could lead to further exploitation if attackers leverage stolen tokens for malicious activities. The lack of certificate validation is a critical cryptographic failure that undermines the security guarantees of TLS, exposing the device and its users to significant risks. No known exploits have been reported in the wild as of the publication date, and no patches or mitigations have been officially released yet.

For European organizations, especially those involved in sports, fitness, or health sectors where COROS PACE 3 devices might be used for employee wellness programs or customer engagement, this vulnerability poses a risk to user data confidentiality and system integrity. Attackers exploiting this flaw could intercept sensitive user information or hijack user sessions by stealing API tokens, potentially leading to unauthorized access to personal health data or corporate systems integrated with the device's backend services. This could result in privacy violations, regulatory non-compliance (e.g., GDPR breaches), reputational damage, and financial losses. Additionally, if attackers manipulate firmware downloads, they could deploy malicious firmware updates, compromising device functionality or creating persistent backdoors. The impact extends beyond individual users to organizational security posture, especially if devices are connected to enterprise networks or used in critical operational contexts.

To mitigate this vulnerability, organizations and users should: 1) Immediately restrict the use of COROS PACE 3 devices on sensitive or enterprise networks until a firmware update is available. 2) Monitor network traffic for unusual TLS connections or attempts to intercept device communications, employing network intrusion detection systems (NIDS) with TLS anomaly detection capabilities. 3) Employ network segmentation to isolate IoT and wearable devices from critical infrastructure. 4) Encourage COROS to release a firmware update that enforces strict X.509 certificate validation, including certificate chain verification and revocation checks. 5) Use endpoint security solutions that can detect abnormal behavior on devices, such as unexpected API token usage or unauthorized firmware downloads. 6) Educate users about the risks of connecting devices to untrusted or public Wi-Fi networks, which are common vectors for MitM attacks. 7) Where possible, implement multi-factor authentication and token expiration policies on backend APIs to limit the impact of stolen tokens. 8) Conduct regular security assessments of IoT devices and their communication protocols to identify and remediate similar weaknesses proactively.