A severe security vulnerability in OnePlus OxygenOS has been discovered that allows any installed application to read SMS and MMS messages without requesting permission or notifying users.
The flaw, designated CVE-2025-10184, affects multiple OnePlus devices running OxygenOS versions 12 through 15, potentially compromising SMS-based multi-factor authentication (MFA) systems and exposing sensitive personal communications to unauthorized access.
Cybersecurity firm Rapid7 identified this permission bypass vulnerability across several OnePlus smartphone models, including the OnePlus 8T, OnePlus 10 Pro 5G, and potentially other devices in the ecosystem.
The vulnerability stems from improperly secured internal content providers within the Android Telephony package (com.android.providers.telephony) that can be exploited through SQL injection techniques.
OnePlus OxygenOS Vulnerability
The vulnerability exploits Android’s content provider system, which manages structured data access across applications.
OnePlus introduced three additional exported content providers in their OxygenOS implementation that are not present in stock Android: PushMessageProvider, PushShopProvider, and ServiceNumberProvider.
These providers contain inadequate permission controls and lack proper SQL injection protections.
The most critical flaw exists in the ServiceNumberProvider class, where the update method accepts arbitrary SQL code through the where parameter without sanitization.
Malicious applications can exploit this weakness to perform blind SQL injection attacks, utilizing Boolean inference techniques to extract SMS data character by character from the device’s message database, as the report states.
The exploitation process involves crafting SQL queries with UNION SELECT statements and substr functions to systematically extract message contents.
This vulnerability presents significant security implications beyond simple message interception.
The flaw effectively bypasses Android’s READ SMS permission system, allowing malicious applications to access SMS data silently without user consent or system notifications.
Most critically, this compromises SMS-based MFA systems used by banking applications, social media platforms, and other security-sensitive services.
| Risk Factors | Details |
| Affected Products | OnePlus devices running OxygenOS 12, 14, and 15 (e.g. 8T, 10 Pro) |
| Impact | Unauthorized read of SMS and MMS data and metadata; silent bypass of SMS-based MFA |
| Exploit Prerequisites | 1. Vulnerable OxygenOS version with unprotected Telephony content providers 2. At least one row in exposed table or ability to insert dummy row 3. Malicious app installed on device |
| CVSS 3.1 Score | 7.8 (High) |
Mitigations
The vulnerability affects OxygenOS versions 12, 14, and 15 across multiple device models. Notably, the OxygenOS 11 versions tested were not vulnerable, suggesting the security flaw was introduced during the OxygenOS 12 development cycle in 2021.
Rapid7 estimates the issue could affect surveillance activities by state-sponsored adversaries and authoritarian regimes seeking to monitor communications.
OnePlus has remained unresponsive to Rapid7’s disclosure attempts since May 2025, leading to public disclosure without vendor coordination.
Users can mitigate exposure by removing non-essential applications, transitioning from SMS-based MFA to authenticator applications, and utilizing end-to-end encrypted messaging platforms for sensitive communications until OnePlus releases security patches addressing CVE-2025-10184.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
Source link
