OnePlus SMS Leak Vulnerability (CVE‑2025‑10184) Exposed – What You Need to Know

Network security firm RAPID7 recently disclosed a critical vulnerability in OnePlus smartphones that allows any application to read existing SMS and MMS data without user permission.

Tests show that multiple versions of OxygenOS (the international version of the OS) are affected, while OxygenOS 11 is not; the flaw appears to have been introduced in OxygenOS 12 released on December 7, 2021 and impacts versions 12‑15.

High‑risk vulnerability that requires no user interaction: The issue is identified as CVE‑2025‑10184 with a CVSS score of 8.2/10. It stems from a flaw in OnePlus’s internal component com.oneplus.provider.telephony, which can be exploited via SQL injection to access SMS/MMS data without permission.

Attackers or malicious apps can silently read any received SMS or MMS and transmit the data to a server under their control, without any user notification.

The root cause is a security‑measure bypass in a high‑privilege internal component, which normally protects sensitive system data from unauthorized access.

RAPID7 warns that the vulnerability could be used to steal SMS verification codes, hijack user accounts, or monitor private communications.

Disclosure before a fix was available: In the security industry, publishing vulnerability details before a patch is released is considered a serious breach of protocol. RAPID7 chose to disclose the details because OnePlus failed to respond to multiple outreach attempts from May 1 2025 onward, including contacts with the OnePlus security response center, customer service, and OPPO, without any substantive reply.