The OnePlus 15 is right around the corner, but the company has bigger fish to fry at the moment. A massive SMS vulnerability has been discovered on OnePlus smartphones, and while it has yet to be patched, the good news is a fix is on its way.
Earlier this week, cybersecurity firm Rapid7 released its findings surrounding a permission bypass exploit found on “multiple versions” OxygenOS dating all the way back to OxygenOS 12 on the OnePlus 8T (h/t Bleeding Computer). Effectively, due to modifications made to the standard Telephony package left the app open to abuse, allowing any installed application on an affected OnePlus device to access SMS and MMS data, along with metadata, “without permission, user interaction, or consent.” There’s also no way to know if your data has been accessed in this fashion.
Rapid7 attempted to contact OnePlus months ahead of publishing its discovery of this vulnerability— which it’s dubbed CVE-2025-10184 — to no success. Despite publishing on Monday, the company did not acknowledge the issue until Wednesday of this week, when OnePlus confirmed it was aware of the exploit.
A OnePlus spokesperson gave NewGeekGuide the following statement:
We acknowledge the recent disclosure of CVE-2025-10184 and have implemented a fix. This will be rolled out globally via software update starting from mid-October. OnePlus remains committed to protecting customer data and will continue to prioritize security improvements.
As for how this happened, essentially, OnePlus seemingly modified the stock Telephony app back in the Android 12 days — this bug doesn’t exist in OxygenOS 11 — to add additional content providers into the service, including the following three listings:
- com.android.providers.telephony.PushMessageProvider
- com.android.providers.telephony.PushShopProvider
- com.android.providers.telephony.ServiceNumberProvider
Modifying this package isn’t inherently bad, obviously, but when you’re dealing with something that can provide read and write access to messages stored on device, you need to take additional steps to ensure you aren’t leaving vulnerabilities — and that’s exactly what happened here. While OnePlus assigned read permissions for SMS messages to these providers, it failed to add write permissions, which, as Rapid7‘s blog post states, “may allow client apps to perform writer operations, if the relevant write […] operation is implemented within the provider.”
For now, OnePlus users should tread cautiously until that patch rolls out in mid-October. Rapid7 suggests only installing apps from known sources and removing all non-essential apps. If you receive OTP texts for 2FA logins, you’ll also want to switch to an authenticator app as soon as possible to prevent your code from being sent over SMS. Switching to a third-party chat application can also help in this regard.
FTC: We use income earning auto affiliate links. More.
Comments