CVE-2025-32879 is a security vulnerability identified in COROS PACE 3 wearable devices running firmware versions up to 3.0808.0. The vulnerability arises from the device's Bluetooth Low Energy (BLE) behavior when no other device is connected: it begins advertising itself and allows any attacker within range to establish a BLE connection without requiring authentication or any security measures. Once connected, the attacker gains unrestricted access to all BLE services and characteristics exposed by the device. These characteristics can be read, written to, or subscribed for notifications without any security checks. This lack of authentication enables an attacker to perform a range of malicious actions including reconfiguring device settings, sending arbitrary notifications to the device, resetting it to factory defaults, or even installing unauthorized software. The vulnerability stems from an insecure BLE implementation that fails to enforce authentication or encryption on sensitive operations, effectively allowing full control over the device by any nearby adversary when the device is not already connected to a trusted device. No patches or mitigations have been officially published as of the vulnerability disclosure date (June 20, 2025), and no known exploits have been reported in the wild yet. The vulnerability affects all devices running the specified firmware or earlier, with no specific affected versions detailed. The issue is significant given the potential for attackers to manipulate device behavior, compromise user data, or disrupt device functionality remotely via BLE without user interaction or prior authentication.

For European organizations, especially those involved in sports, fitness, health monitoring, or employee wellness programs that utilize COROS PACE 3 devices, this vulnerability poses several risks. The ability for an attacker to connect and control the device remotely could lead to unauthorized access to sensitive personal health data, manipulation of device readings, or disruption of device operation. This could undermine trust in device reliability and data integrity, impacting health monitoring accuracy and potentially leading to incorrect health or performance assessments. In corporate environments, compromised devices could be used as entry points for broader network attacks if connected to enterprise systems. Additionally, the ability to install unauthorized software or reset devices could be exploited to create persistent backdoors or cause denial of service. The lack of authentication and ease of exploitation means attackers do not need sophisticated skills or credentials, increasing the likelihood of opportunistic attacks in public or workplace environments. Although no exploits are currently known in the wild, the vulnerability’s nature and potential impact warrant urgent attention to prevent exploitation, particularly in sectors where device integrity and data confidentiality are critical.

Given the absence of official patches, European organizations and users should implement the following specific mitigations: 1) Disable Bluetooth on COROS PACE 3 devices when not actively in use to prevent unsolicited BLE connections. 2) Limit device exposure by avoiding use in public or untrusted environments where attackers could be in proximity. 3) Monitor device behavior for unexpected resets, configuration changes, or notifications that could indicate compromise. 4) Where possible, restrict physical access to devices to prevent attackers from triggering BLE advertising states. 5) Engage with COROS support channels to obtain firmware updates or security advisories and apply patches promptly once available. 6) Consider network segmentation and endpoint security controls if devices are integrated into enterprise systems to limit lateral movement in case of compromise. 7) Educate users on the risks of BLE vulnerabilities and encourage vigilance regarding device behavior anomalies. 8) Employ BLE scanning tools in sensitive environments to detect unauthorized connections or advertising activity from vulnerable devices. These targeted actions go beyond generic advice by focusing on operational controls and user awareness specific to the COROS PACE 3 BLE vulnerability context.