OnePlus smartphones running OxygenOS versions 12 through 15 contain a critical security vulnerability that allows malicious apps to read and send SMS messages without user permission, cybersecurity firm Rapid7 revealed this week. The flaw, tracked as CVE-2025-10184 with a severity score of 8.2 out of 10, potentially affects millions of devices manufactured over the past four years.

The vulnerability enables attackers to access sensitive text messages, including two-factor authentication codes, and send unauthorized SMS messages on behalf of victims. Only devices still running 2020’s OxygenOS 11 or earlier remain unaffected by this security breach.

OnePlus acknowledges problem

Rapid7 researchers discovered the flaw in May 2024 but struggled to contact OnePlus through traditional channels. After failed attempts at private disclosure, the security firm published its findings publicly on Monday. OnePlus didn’t acknowledge the issue until earlier this week, when the company finally confirmed awareness of the exploit, according to 9to5Google.

The vulnerability stems from modifications OnePlus made to Android’s standard Telephony package when transitioning to OxygenOS 12. The company added three content providers to the service but failed to properly secure write permissions, creating an exploitable weakness that allows any installed app to access SMS data without user consent.

OnePlus in a statement to 9to5Google: “We acknowledge the recent disclosure of CVE-2025-10184 and have implemented a fix. This will be rolled out globally via software update starting from mid-October. OnePlus remains committed to protecting customer data and will continue to prioritize security improvements.

What should affected OnePlus smartphone users do

OnePlus has promised a global software update starting mid-October to address the security flaw. However, until the patch arrives, cybersecurity experts strongly advise users to take immediate protective action.

Rapid7 recommends OnePlus owners install only essential apps from trusted sources and remove unnecessary applications. Users should immediately switch from SMS-based two-factor authentication to authenticator apps and migrate conversations from text messaging to encrypted platforms like WhatsApp or Telegram.

The discovery highlights ongoing security challenges facing Android device manufacturers who customize Google’s operating system, particularly when modifications affect core system components responsible for handling sensitive user data.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!