OnePlus phones remain popular, even if they might not have the same weight they did before. If you happen to have a OnePlus phone, you’ll want to know about this vulnerability—and while a fix is on the way, you should continue to be careful while it lands.
A significant security vulnerability has been discovered in OnePlus smartphones that leaves the SMS and MMS messages of millions of users exposed to any application installed on their devices. The flaw is present in multiple versions of the company’s OxygenOS software and allows for a complete bypass of Android’s permission system, granting silent access to sensitive message data. Yikes.
The critical vulnerability was first identified and detailed by the cybersecurity firm Rapid7. The firm explained in the public disclosure for the vulnerability that the exploit, officially designated as CVE-2025-10184, affects a wide range of OnePlus devices running software from OxygenOS 12 onward, tracing back to at least the OnePlus 8T model. That’s a lot of affected phones, especially when you see how much time it has been since OxygenOS 12 was released and how long the issue has remained undetected. The core of the problem lies in modifications OnePlus made to the standard Android Telephony package, a system-level component that manages calls and messages. These changes inadvertently created a loophole that allows any app, regardless of its stated permissions, to read SMS and MMS messages, including their content and associated metadata.
The flaw apparently requires no user interaction or consent to be exploited, which makes it really, really dangerous. An app does not need to request SMS permissions, and the operating system provides no notification that a third party has accessed the user’s private messages. This means that for months, or even years, malicious or simply poorly-coded applications could have been siphoning personal data, including sensitive information often sent via text, such as one-time passwords (OTPs) for two-factor authentication (2FA), without the user’s knowledge.
The technical cause appears to stem from the introduction of several new content providers into the Telephony app service back when OnePlus released OxygenOS 12. While OnePlus developers correctly assigned read permissions for SMS messages to these new providers, they failed to implement corresponding write permissions. This oversight, as Rapid7’s technical blog post explains, can “allow client apps to perform writer operations” if the function is implemented within the provider, effectively leaving the door open for unauthorized access. The vulnerability does not exist in older versions, such as OxygenOS 11.
Rapid7 noted that it attempted to contact OnePlus to disclose the vulnerability responsibly several months before making its findings public, but received no response. After the public disclosure was published on Monday, OnePlus formally acknowledged the exploit on Wednesday and confirmed a fix is on the way. It’s finally getting fixed, but this kind of blunder is rarely seen in high-profile Android manufacturers, and it’s a very late fix—hopefully, no malicious actors actually noticed this entry point and stole user data.
Source: 9to5Google
We want to hear from you! Share your opinions in the thread below and remember to keep it respectful.
Your comment has not been saved
This thread is open for discussion.
Be the first to post your thoughts.

source