A extreme safety vulnerability in OnePlus OxygenOS has been found that enables any put in utility to learn SMS and MMS messages with out requesting permission or notifying customers.
The flaw, designated CVE-2025-10184, impacts a number of OnePlus units operating OxygenOS variations 12 by way of 15, probably compromising SMS-based multi-factor authentication (MFA) techniques and exposing delicate private communications to unauthorized entry.
Cybersecurity agency Rapid7 recognized this permission bypass vulnerability throughout a number of OnePlus smartphone fashions, together with the OnePlus 8T, OnePlus 10 Professional 5G, and probably different units within the ecosystem.
The vulnerability stems from improperly secured inner content material suppliers inside the Android Telephony package deal (com.android.suppliers.telephony) that may be exploited by way of SQL injection methods.
OnePlus OxygenOS Vulnerability
The vulnerability exploits Android’s content material supplier system, which manages structured information entry throughout functions.
OnePlus launched three further exported content material suppliers of their OxygenOS implementation that aren’t current in inventory Android: PushMessageProvider, PushShopProvider, and ServiceNumberProvider.
These suppliers include insufficient permission controls and lack correct SQL injection protections.
Essentially the most crucial flaw exists within the ServiceNumberProvider class, the place the replace methodology accepts arbitrary SQL code by way of the the place parameter with out sanitization.
Malicious functions can exploit this weak point to carry out blind SQL injection assaults, using Boolean inference methods to extract SMS information character by character from the machine’s message database, because the report states.
The exploitation course of entails crafting SQL queries with UNION SELECT statements and substr capabilities to systematically extract message contents.
This vulnerability presents vital safety implications past easy message interception.
The flaw successfully bypasses Android’s READ SMS permission system, permitting malicious functions to entry SMS information silently with out person consent or system notifications.
Most critically, this compromises SMS-based MFA techniques utilized by banking functions, social media platforms, and different security-sensitive providers.
Danger FactorsDetailsAffected ProductsOnePlus units operating OxygenOS 12, 14, and 15 (e.g. 8T, 10 Professional)ImpactUnauthorized learn of SMS and MMS information and metadata; silent bypass of SMS-based MFAExploit Prerequisites1. Susceptible OxygenOS model with unprotected Telephony content material suppliers 2. A minimum of one row in uncovered desk or skill to insert dummy row 3. Malicious app put in on deviceCVSS 3.1 Score7.8 (Excessive)
Mitigations
The vulnerability impacts OxygenOS variations 12, 14, and 15 throughout a number of machine fashions. Notably, the OxygenOS 11 variations examined weren’t susceptible, suggesting the safety flaw was launched in the course of the OxygenOS 12 growth cycle in 2021.
Rapid7 estimates the difficulty may have an effect on surveillance actions by state-sponsored adversaries and authoritarian regimes searching for to watch communications.
OnePlus has remained unresponsive to Rapid7’s disclosure makes an attempt since Might 2025, resulting in public disclosure with out vendor coordination.
Customers can mitigate publicity by eradicating non-essential functions, transitioning from SMS-based MFA to authenticator functions, and using end-to-end encrypted messaging platforms for delicate communications till OnePlus releases safety patches addressing CVE-2025-10184.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
