TOPICS
Security
Rapid7 warns flaw could let any app peek at your SMS, but smartphone vendor won’t pick up
UPDATED Security researchers report that OnePlus smartphone users remain vulnerable to a critical bug that allows any application to read SMS and MMS data — a flaw that has persisted since late 2021.
Rapid7 revealed in a blog published today that multiple versions of OxygenOS contain this security flaw. Since OxygenOS 11 devices remain unaffected in their tests, researchers believe the vulnerability was introduced with OxygenOS 12, released on December 7, 2021.
Although Rapid7 only used OnePlus phones in its tests, it believes the issue extends to additional OEMs, given that the vulnerable component is within Android itself.
Tracked as CVE-2025-10184 with 8.2 severity rating, the researchers said: “The issue stems from the fact that sensitive internal content providers are accessible without permission, and are vulnerable to SQL injection.”
The vulnerability operates silently — users receive no alerts when their SMS or MMS data is accessed or transmitted elsewhere. Exploitation requires zero user interaction.
A successful exploit could let attackers bypass SMS-based MFA account protections or give surveillance-hungry governments easy access to messages.
An attacker-controlled app needs no special permissions in order to read the data, instead it exploits a flaw in the internal content provider com.oneplus.provider.telephony.
Content providers, integral to the Android platform, manage data access through APIs and enforce permissions that prevent unauthorized external app access. This vulnerability circumvents those protections entirely.
The exploit lets an attacker bypass SMS-based multi-factor authentication protections, and access sensitive personal comms wihtout detection.
Rapid7 has not specified whether attackers have abused this vulnerability in the wild, but it did provide details about how an exploit could look, complete with code snippets – an unusual step for an unpatched critical vulnerability.
Providing details for a weak spot that could lead to sensitive data access is an industry no-no, especially for an unpatched flaw such as CVE-2025-10184. However, it is not unheard of, and in some cases it is used as a last-resort method of getting a vendor to wake up to a threat and issue fixes.
Rapid7 said OnePlus has not responded to numerous attempts to work with it on remediating the issue, the first of which was made on May 1.
According to the supplied disclosure timeline, Rapid7 first contacted the OnePlus Security Response Center (OneSRC) and after a few failed attempts, tried its main customer support service, which promised an escalated response that never came.
On July 22, Rapid7 said it resorted to messaging OnePlus’s X account to no avail, before trying to reach OnePlus via friendly competitor Oppo, also without success.
As of today, Rapid7 said it “considers OnePlus a non-responsive vendor,” hence the public disclosure.
“This vulnerability affects a wide range of OxygenOS versions and multiple OnePlus devices, and we consider the potential impact to be high,” Rapid7 said in its writeup.
In lieu of a patch, the security shop said OnePlus users should only install apps from trusted sources and remove any non-essential apps. It also recommended changing any SMS-based MFA mechanisms in place to authenticator app-based versions, and opt for encrypted messaging apps over SMS.
The Register contacted OnePlus for a response and will update the story with any further information that comes in. ®
A OnePlus spokesperson said: “We acknowledge the recent disclosure of CVE-2025-10184 and have implemented a fix. This will be rolled out globally via software update starting from mid-October. OnePlus remains committed to protecting customer data and will continue to prioritize security improvements.”
Commercial PC demand expected to cushion broader slowdown
MOIS-linked cyber outfit puts on a ransomware show to disguise the wide-open backdoor behind the scenes
Award-winning EasyOn 5G-A-RobotNet integrates connectivity and edge computing to accelerate scalable humanoid robotics
Replacing meatbags with failure prone agents isn’t the gold mine some CEOs hoped for
If you can’t bother to keep GitHub running, why should we bother with you?
Matz gets together with Anthropic’s Claude to create an experimental ahead-of-time compiler for Ruby – though with many limitations
Join us to learn how to architect a development environment where your builders and their agents can move fast and securely.
When a developer installs an AI agent skill – granting it access to secured IT resources and data – they make a significant trust decision.
Infrastructure teams are facing a perfect storm: extended hardware lead times, rising costs driven by AI demand, and accelerated platform timelines.
Join Druva experts for a compelling deep dive into what it takes to build an identity-first recovery strategy in this new threat landscape.
Join Druva experts for a compelling deep dive into what it takes to build an identity-first recovery strategy in this new threat landscape.
They’ll reveal how attackers use your profile as intel and show you how to make yourself harder to target
SECURITY
MOIS-linked cyber outfit puts on a ransomware show to disguise the wide-open backdoor behind the scenes
AI
Replacing meatbags with failure prone agents isn’t the gold mine some CEOs hoped for
DevOps
Matz gets together with Anthropic’s Claude to create an experimental ahead-of-time compiler for Ruby – though with many limitations
OFFBEAT
Big Blue escalated the OS/2 keyboard squabble through seven layers of management. Redmond’s answer? Nope
Security
Activists say ministers are targeting access rather than Big Tech’s data-hungry business models
SECURITY
MOIS-linked cyber outfit puts on a ransomware show to disguise the wide-open backdoor behind the scenes
AI
Replacing meatbags with failure prone agents isn’t the gold mine some CEOs hoped for
DevOps
Matz gets together with Anthropic’s Claude to create an experimental ahead-of-time compiler for Ruby – though with many limitations
OFFBEAT
Big Blue escalated the OS/2 keyboard squabble through seven layers of management. Redmond’s answer? Nope
Security
Activists say ministers are targeting access rather than Big Tech’s data-hungry business models
MOIS-linked cyber outfit puts on a ransomware show to disguise the wide-open backdoor behind the scenes
Replacing meatbags with failure prone agents isn’t the gold mine some CEOs hoped for
Matz gets together with Anthropic’s Claude to create an experimental ahead-of-time compiler for Ruby – though with many limitations
Big Blue escalated the OS/2 keyboard squabble through seven layers of management. Redmond’s answer? Nope
Activists say ministers are targeting access rather than Big Tech’s data-hungry business models
Major .de domains experienced hours-long outage after registry distributed faulty signatures
Biting the hand that feeds IT
Contact us
Advertise with us
Who we are
The Next Platform
DevClass
Blocks and Files
Situation Publishing
Cookies Policy
Privacy Policy
Ts & Cs
Do not share my personal information
Your Consent Options
Copyright. All rights reserved © 1998-2026.