Medium severity5.7NVD Advisory· Published Jun 20, 2025· Updated Apr 15, 2026

CVE-2025-32875

Description

An issue was discovered in the COROS application through 3.8.12 for Android. Bluetooth pairing and bonding is neither initiated nor enforced by the application itself. Also, the watch does not enforce pairing and bonding. As a result, any data transmitted via BLE remains unencrypted, allowing attackers within Bluetooth range to eavesdrop on the communication. Furthermore, even if a user manually initiates pairing and bonding in the Android settings, the application continues to transmit data without requiring the watch to be bonded. This fallback behavior enables attackers to exploit the communication, for example, by conducting an active machine-in-the-middle attack.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

support.coros.com/hc/en-us/categories/4416357319956-Software-Updatesnvd
syss.denvd
www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-025.txtnvd

News mentions

No linked articles in our index yet.

cvss	0.371
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000