OnePlus smartphones running OxygenOS 12 through 15 are vulnerable to a serious permission-bypass exploit (CVE-2025-10184), allowing any installed app to silently read SMS, MMS, and associated metadata without user consent or explicit permission; the flaw was publicly disclosed by security researchers at Rapid7 after repeated failed attempts to coordinate with OnePlus, and the company has since committed to rolling out a fix globally starting mid-October.
Sources: 9t05 Google, Rapid7
Key Takeaways
– The vulnerability stems from OnePlus’s modifications to the Android Telephony content providers (e.g. PushMessageProvider, PushShopProvider, ServiceNumberProvider) which lacked write permissions and were vulnerable to blind SQL injection, enabling apps to bypass READ_SMS restrictions.
– The flaw enables attackers to exfiltrate SMS content — including one-time codes used for SMS-based multi-factor authentication — thereby weakening a key security defense.
– Until the patch arrives, users should minimize installed apps to only trusted sources, transition from SMS-based 2FA to authenticator apps, and avoid using SMS for high-sensitivity communication.
In-Depth
In a move that’s raising serious security alarms in the mobile world, researchers at Rapid7 have unveiled a permission-bypass vulnerability in OnePlus devices that could quietly expose your text messages to malicious apps. The flaw, labeled CVE-2025-10184, is believed to affect devices running OxygenOS versions 12 through 15, and was introduced when OnePlus altered core Android Telephony components. Under normal operations, Android enforces strict permissions around SMS and MMS access — apps must explicitly request READ_SMS or related permissions and users must grant consent. But OnePlus’s changes introduced new content providers (PushMessageProvider, PushShopProvider, ServiceNumberProvider) without proper write restrictions, leaving them open to abuse. By chaining blind SQL injection techniques, a malicious app can infer or outright exfiltrate SMS content without triggering any user prompts or alerts.
Rapid7 says that SMS-based multi-factor authentication (MFA) protections are especially vulnerable here, since attackers could intercept OTPs or codes meant for account verification. The seriousness is underlined by the fact that attackers need no special permissions or user interaction for the exploit to succeed. In their disclosure, Rapid7 noted repeated failed attempts to engage with OnePlus before making the issue public. Only after the disclosure did OnePlus respond, promising a global patch rollout by mid-October.
In practice, users of vulnerable OnePlus phones are left in limbo. There’s no way to confirm whether your data has been accessed in the interim, so caution is the only viable recourse. Security-minded users should immediately remove nonessential or untrusted apps, rely on app stores with stronger vetting, and — most importantly — switch from SMS-based 2FA to more secure methods like time-based one-time passwords (TOTP) or hardware keys. Also, sensitive communications should bypass SMS entirely, favoring end-to-end encrypted messaging platforms. As the patch approaches, OnePlus users should watch carefully for software updates and apply them quickly when they arrive.