Security researchers report that OnePlus smartphone users remain vulnerable to a critical bug that allows any application to read SMS and MMS data — a flaw that has persisted since late 2021.
Rapid7 revealed in a blog published today that multiple versions of OxygenOS contain this security flaw. Since OxygenOS 11 devices remain unaffected in their tests, researchers believe the vulnerability was introduced with OxygenOS 12, released on December 7, 2021.
Although Rapid7 only used OnePlus phones in its tests, it believes the issue extends to additional OEMs, given that the vulnerable component is within Android itself.
Tracked as CVE-2025-10184 with 8.2 severity rating, the researchers said: “The issue stems from the fact that sensitive internal content providers are accessible without permission, and are vulnerable to SQL injection.”
The vulnerability operates silently — users receive no alerts when their SMS or MMS data is accessed or transmitted elsewhere. Exploitation requires zero user interaction.
A successful exploit could let attackers bypass SMS-based MFA account protections or give surveillance-hungry governments easy access to messages.
An attacker-controlled app needs no special permissions in order to read the data, instead it exploits a flaw in the internal content provider com.oneplus.provider.telephony.
Content providers, integral to the Android platform, manage data access through APIs and enforce permissions that prevent unauthorized external app access. This vulnerability circumvents those protections entirely.
The exploit lets an attacker bypass SMS-based multi-factor authentication protections, and access sensitive personal comms wihtout detection.
Rapid7 has not specified whether attackers have abused this vulnerability in the wild, but it did provide details about how an exploit could look, complete with code snippets – an unusual step for an unpatched critical vulnerability.
Providing details for a weak spot that could lead to sensitive data access is an industry no-no, especially for an unpatched flaw such as CVE-2025-10184. However, it is not unheard of, and in some cases it is used as a last-resort method of getting a vendor to wake up to a threat and issue fixes.
Rapid7 said OnePlus has not responded to numerous attempts to work with it on remediating the issue, the first of which was made on May 1.
According to the supplied disclosure timeline, Rapid7 first contacted the OnePlus Security Response Center (OneSRC) and after a few failed attempts, tried its main customer support service, which promised an escalated response that never came.
On July 22, Rapid7 said it resorted to messaging OnePlus’s X account to no avail, before trying to reach OnePlus via friendly competitor Oppo, also without success.
As of today, Rapid7 said it “considers OnePlus a non-responsive vendor,” hence the public disclosure.
“This vulnerability affects a wide range of OxygenOS versions and multiple OnePlus devices, and we consider the potential impact to be high,” Rapid7 said in its writeup.
In lieu of a patch, the security shop said OnePlus users should only install apps from trusted sources and remove any non-essential apps. It also recommended changing any SMS-based MFA mechanisms in place to authenticator app-based versions, and opt for encrypted messaging apps over SMS.
The Register contacted OnePlus for a response and will update the story with any further information that comes in. ®
Source link
