A serious security flaw in OnePlus smartphones allows any app to quietly read your SMS messages without permission, and it’s still not fixed.
Quick Summary – TLDR:
- A vulnerability tracked as CVE-2025-10184 affects OxygenOS versions 12 through 15 on OnePlus phones
- Malicious apps can access SMS and MMS data without user interaction or permissions
- The flaw allows bypassing of multi-factor authentication and risks exposure of personal messages
- OnePlus has failed to respond to researchers despite repeated disclosures since May 2025
What Happened?
Security firm Rapid7 discovered a critical bug in OnePlus’s customized Android software, OxygenOS, that allows apps to read SMS messages silently and without user consent. The vulnerability impacts OxygenOS versions 12 through 15, potentially affecting a wide range of OnePlus devices. Despite repeated contact attempts, OnePlus has not patched the flaw or acknowledged the issue until after public disclosure.
⚠️ Rapid7 has identified a permission bypass vuln. in multiple versions of #OnePlus OxygenOS installed on its Android smartphones.
— Rapid7 (@rapid7) September 23, 2025
When leveraged, any app on the device may read SMS/MMS data & metadata via the default Telephony provider. More in our blog: https://t.co/CJdjtcDd7j pic.twitter.com/71suG4hE5M
A Deep Dive into the Vulnerability
The flaw, identified as CVE-2025-10184, stems from how OnePlus modified the com.android.providers.telephony package in its version of Android. The company added several exported content providers such as:
- PushMessageProvider
- PushShopProvider
- ServiceNumberProvider
These providers lack proper permission restrictions. That means any installed app can access SMS and MMS content, including sensitive data like multi-factor authentication (MFA) codes, without needing the usual READ_SMS permission. Worse, the bug enables blind SQL injection, which can extract the entire SMS database from a phone.
According to Rapid7, the vulnerability is not present in OxygenOS 11, indicating the issue was introduced with OxygenOS 12, launched in December 2021.
Zero User Interaction Required
What makes this vulnerability especially alarming is that no user interaction is needed. An app can quietly pull text messages in the background without alerting the user. This kind of flaw creates serious risks such as:
- Bypassing SMS-based MFA, which secures banking and email accounts.
- Undetected surveillance by rogue apps or malicious actors.
- Silent data theft, which could compromise private conversations.
Rapid7 provided proof-of-concept code demonstrating how the exploit works, a rare move for an unpatched vulnerability. This was seen as a last-ditch effort to pressure OnePlus into action after months of silence.
OnePlus’s Troubling Silence
Rapid7 first contacted OnePlus’s security team on May 1, 2025, then followed up via customer support, Twitter, and through OPPO – OnePlus’s parent company. After seven failed attempts, the company finally labeled OnePlus a non-responsive vendor and disclosed the vulnerability publicly.
Only after public disclosure did OnePlus acknowledge the issue and say it had started an investigation. However, no patch has been released as of September 23, 2025, and users remain exposed.
Affected Devices and Versions
Tests confirmed the bug on:
- OnePlus 8T running OxygenOS 12
- OnePlus 10 Pro 5G running various builds of OxygenOS 14 and 15
Given the flaw exists in the platform code itself, many more devices are likely impacted, not just those tested.
Device/Model Breakdown
- OnePlus 8T / KB2003 – OxygenOS 12 (KB2003_11_C.3)
- OnePlus 10 Pro / NE2213 – OxygenOS 14 and 15 (Various builds)
What You Can Do Now
Since no official fix is available yet, Rapid7 recommends the following precautions:
- Limit app installations to trusted sources.
- Uninstall non-essential apps.
- Switch from SMS-based MFA to apps like Google Authenticator.
- Use encrypted messaging apps instead of SMS for sensitive chats.
SQ Magazine Takeaway
I honestly can’t believe this is still unresolved. OnePlus has a solid reputation for fast phones and sleek design, but their silence here is a major red flag. When a security firm is practically begging a company to fix a hole this serious and gets no response, it puts users like you and me at real risk. This isn’t just a glitch. It’s a door left wide open for attackers. If you use a OnePlus device, now’s the time to tighten your app permissions and rethink using SMS for anything sensitive. You deserve better from a brand that claims to care about its users.
