OnePlus Devices Face Critical CVE‑2025‑10184: Silent SMS Access Exploited

RAPID7 recently disclosed a high‑risk security vulnerability in OnePlus smartphones that allows any application to read existing SMS and MMS data without user permission.

Multiple versions of OxygenOS are affected, except OxygenOS 11. The flaw appears to have been introduced in OxygenOS 12, released on December 7, 2021, and impacts versions 12‑15.

CVE‑2025‑10184 carries a CVSS score of 8.2/10. The root cause is a defect in the internal component com.oneplus.provider.telephony, which is vulnerable to SQL injection and can be accessed without proper authorization.

Attackers or malicious apps can silently retrieve any SMS or MMS received by the user and exfiltrate the data to a server under their control, without any user interaction or visible notification.

The vulnerability stems from insufficient protection of a high‑privilege internal component, allowing unauthorized access to sensitive system data.

RAPID7 warns that exploiting this flaw could enable theft of SMS verification codes, leading to account hijacking, or allow surveillance of private communications.

Premature public disclosure

Disclosing vulnerability details before a fix is generally avoided in the security community. However, OnePlus did not respond to RAPID7’s outreach attempts, prompting the researchers to publish the details as a last resort to pressure the vendor.

RAPID7 began contacting OnePlus on May 1, 2025, first through the security response center, then via customer service, and later through X/Twitter, but received no substantive reply. Attempts to engage OPPO also failed, leading to the eventual public disclosure.