CVE-2025-32880 identifies a security vulnerability in the COROS PACE 3 smartwatch devices running firmware versions up to 3.0808.0. The vulnerability arises from the device's method of downloading firmware updates over WLAN connections. Specifically, the device connects to a wireless network and retrieves firmware files via unencrypted HTTP communication. This lack of encryption exposes the firmware download process to network-based attacks such as sniffing and machine-in-the-middle (MitM) attacks. An attacker positioned on the same network or capable of intercepting the device's traffic can eavesdrop on the firmware data or potentially inject malicious firmware updates. Since firmware updates control the device's core operating code, successful exploitation could lead to unauthorized code execution, device compromise, or persistent backdoors. The vulnerability does not require authentication or user interaction beyond the device connecting to WLAN and attempting a firmware update. No known exploits have been reported in the wild as of the publication date. However, the fundamental flaw in using HTTP for firmware delivery on a connected IoT device represents a significant security risk, especially given the sensitive nature of wearable devices that may store personal health and location data. The absence of encryption and integrity checks in the firmware update process undermines the confidentiality and integrity of the device's software, potentially leading to severe security consequences if exploited.

For European organizations, the vulnerability poses risks primarily to employees and personnel using COROS PACE 3 devices, especially in corporate or sensitive environments where WLAN networks are shared or less secure. Compromise of these devices could lead to leakage of personal and organizational data, unauthorized surveillance, or lateral movement within corporate networks if the device is connected to enterprise systems. The integrity of firmware updates being compromised could allow attackers to implant persistent malware on devices, which may be used for espionage or data exfiltration. Given the increasing use of wearable devices in health monitoring and workforce management, exploitation could also impact employee privacy and safety. Additionally, organizations involved in sports, fitness, or health sectors that utilize these devices may face reputational damage and regulatory scrutiny under GDPR if personal data is compromised. The vulnerability also raises concerns for critical infrastructure sectors where secure device operation is essential. Although no exploits are currently known, the ease of interception on unsecured WLANs and the lack of encryption make this a plausible attack vector, especially in public or poorly secured wireless environments.

To mitigate this vulnerability, European organizations and users should: 1) Immediately restrict COROS PACE 3 devices to trusted and secured WLAN networks that employ strong encryption (WPA3 or WPA2) and network segmentation to limit exposure. 2) Monitor network traffic for unusual HTTP firmware download activity and consider deploying network intrusion detection systems (NIDS) capable of detecting MitM attempts or anomalous firmware update patterns. 3) Encourage users to disable automatic firmware updates until a secure, encrypted update mechanism is released by COROS. 4) Engage with COROS support channels to obtain information on firmware patches or updates that address this vulnerability and prioritize timely deployment once available. 5) Implement endpoint security controls on devices that connect to corporate networks to detect anomalous behavior potentially stemming from compromised wearables. 6) Educate users on the risks of connecting devices to public or unsecured WLANs and promote the use of VPNs when wireless security cannot be guaranteed. 7) For organizations managing large fleets of devices, consider network access control (NAC) solutions to enforce device compliance and isolate vulnerable devices from critical network segments. These measures go beyond generic advice by focusing on network-level controls, user behavior, and proactive monitoring tailored to the specific nature of this vulnerability.