Critical Vulnerability Information Vulnerability Type: Improper Certificate Validation (CVE-2025-32878) Affected Product: COROS PACE 3 Manufacturer: COROS Wearables, Inc. Affected Versions: <= V 3.6888.0 Vulnerability Description: Due to improper X.509 certificate validation, HTTPS communication between COROS PACE 3 and its backend API can be intercepted and manipulated by a man-in-the-middle attack. Remediation Status: Not yet fixed Disclosure Timeline: - 2025-03-10: Vulnerability discovered - 2025-03-14: Vulnerability reported to manufacturer - 2025-05-17: Requested manufacturer update - 2025-05-31: Additional details provided to manufacturer - 2025-06-14: Informed manufacturer of assigned CVE-ID and CVSS score 着 2025-06-15: Received manufacturer response, plans to fix in Q3 2025 - 2025-06-17: Public disclosure References: - COROS PACE 3 Product Website - SySS Security Advisory SYSS-2025-E38 - SySS Responsible Disclosure Policy - stunnel Website - certimtm GitHub Repository - CVE-2025-32878 - Bluetooth Analysis of COROS PACE 3