Summary
- Security company Rapid7 has uncovered a major vulnerability within OnePlus phones that could leave users’ SMS and MMS texting data exposed to bad actors.
- This security risk appears to impact all newer OnePlus phones running OxygenOS 12 and later, though Rapid7 has only tested OnePlus 8T and 10 Pro 5G models.
- OnePlus has since acknowledged the vulnerability, and has confirmed plans to roll out a software patch in the coming weeks.
Cybersecurity company Rapid7 has identified a major new permission bypass vulnerability within modern OnePlus smartphones called CVE-2025-10184. This novel exploit, if leveraged by bad actors, could enable rogue applications to read sensitive SMS and MMS text message data from the system’s Telephony provider service — all without the explicitly granted permission of the user.
Theoretically, CVE-2025-10184 might impact all OnePlus devices running OxygenOS 12, 14, and 15, though Rapid7 itself only tested OnePlus 8T and 10 Pro 5G models. Older OnePlus handsets running Oxygen 11 (based on Android 11) or previous appear to be unaffected by the exploit.
“The issue stems from the fact that sensitive internal content providers are accessible without permission, and are vulnerable to SQL injection. Based on our analysis, this vulnerability could be leveraged to bypass the core Android READ_SMS permission to silently exfiltrate users’ SMS data without their consent and break SMS-based MFA systems,” writes Rapid7 in a blog post.
Without getting into too much technical detail, it appears that the exploit stems from modifications made by OnePlus to the Android Open Source Project’s (AOSP’s) core Telephony package back in the Android 12 days, in order to integrate extra content providers into the service. While the company implemented the appropriate read permissions into its modification, there was some kind of oversight made in the addition of effective write permissions.
An official fix is on the way
OnePlus acknowledges the vulnerability and is working on a patch
In a statement provided to 9to5Google, OnePlus has confirmed that it’s aware of this newly-surfaced texting vulnerability found within OxygenOS, and that it has successfully implemented a working fix for it. The company goes on to say that the patch will be pushed out across the globe via an over-the-air (OTA) software update “starting from mid-October.”
It’s great to hear that OnePlus is working to plug this potentially major security vulnerability across its portfolio of handsets. That being said, reports of the company failing to respond to Rapid7’s initial private inquiry are concerning, as are Rapid7’s characterizations of the OnePlus Bug Bounty Program’s “restrictive Non Disclosure Agreement” terms and conditions.
In any case, a fix is on the way, which means OnePlus users can breathe a sigh of relief. In the meantime, Rapid7 recommends cutting down on non-essential apps, avoiding the installation of apps from unknown sources, and making use of a dedicated authenticator app for two-factor authentication (2FA) as opposed to relying on SMS one-time password (OTP) codes.
