Security researchers at Rapid7 have disclosed a critical flaw in multiple versions of OxygenOS, the Android-based firmware used on OnePlus devices. Tracked as CVE-2025-10184, the issue allows any installed application to read SMS content and metadata without requesting SMS permissions or user interaction. At publication time, the bug remained unpatched. Rapid7 reports that outreach to the vendor began in May 2025; following delayed responses, the firm released technical details and a limited proof of concept (PoC).
What Rapid7 found: unauthorized SMS access via OxygenOS
The flaw stems from OnePlus-specific modifications to the Android Telephony stack. OxygenOS adds extra exported content providers—including PushMessageProvider, PushShopProvider, and ServiceNumberProvider—that are exposed to other apps but lack appropriate permission checks. In a secure design, content providers that expose or modify SMS data must enforce permissions (for example, READ_SMS or signature-level access). Here, default-allow behavior enables any app on the device to interact with these providers even if it has no SMS-related permissions.
Technical root cause: missing access controls and blind SQL injection
Beyond weak export rules, user-supplied input to these providers is not sanitized. This opens the door to blind SQL injection—a technique where an attacker infers the contents of a database by observing indirect responses, such as the number of rows affected by an update call. By iteratively “guessing” characters and checking provider responses, a malicious app can reconstruct message text and metadata stored in the device’s local SMS database without issuing a direct query.
Affected OnePlus devices and scope
According to Rapid7, the vulnerability impacts OxygenOS 12 through 15 (including OxygenOS 15 based on Android 15). Exploitation has been confirmed on OnePlus 8T and OnePlus 10 Pro across multiple OxygenOS and Telephony package builds. The issue is not hardware-specific; because it resides in a system component, other OnePlus models running the affected OxygenOS versions may also be vulnerable.
Threat impact: OTP theft, account takeover, and privacy risks
Silent access to SMS creates immediate risk of one-time password (OTP) and two-factor authentication (2FA) theft, transaction confirmation interception, and exposure of banking and service notifications. Crucially, exploitation only requires that a user installs an app—malicious or otherwise. Seemingly legitimate apps embedding aggressive SDKs or advertising modules can abuse the exported providers to siphon SMS data despite Android’s permission model. This is a direct violation of the platform’s security assumptions that require explicit user consent for SMS access.
Why the permission model break is especially severe
Android’s security model relies on runtime permissions, component isolation, and least privilege. Exported content providers must verify caller identity and enforce granular permissions. In this case, lax provider configuration enables write/update operations without checks, and the lack of input validation permits blind SQL injection. As a result, SMS data becomes reachable through indirect signals, undermining user consent and app sandboxing. Notably, NIST SP 800-63B classifies SMS-based OTP as a restricted authenticator due to interception risks, and implementation flaws like CVE-2025-10184 further amplify the danger of SMS as a second factor.
Mitigations for users and organizations before a patch
Reduce your attack surface: uninstall rarely used apps and install software only from trusted developers and reputable stores.
Avoid SMS-based 2FA temporarily: switch to app-based TOTP (e.g., Google Authenticator, Microsoft Authenticator) or hardware security keys (FIDO2/WebAuthn) wherever available.
Move sensitive conversations to end-to-end encrypted messengers until fixes are available.
For enterprises: enforce MDM/EMM policies, application allowlists, controlled installation sources, and mobile threat detection. Monitor for anomalous content provider interactions and restrict nonessential apps in work profiles to limit potential exploitation via embedded SDKs.
Vendor response and patch outlook
Following Rapid7’s disclosure, OnePlus acknowledged the issue and stated it is investigating. Users should apply security updates as soon as they are released. Until patches land, defensive hygiene—minimal app footprint, non-SMS 2FA, and vigilant app sourcing—materially reduces exposure.
CVE-2025-10184 underscores how deviations from Android’s standard security controls can nullify permission boundaries. Keep device software current, prefer phishing-resistant or app-based authenticators over SMS, and audit installed apps regularly. These steps significantly lower the risk of SMS compromise and account takeover while the vendor works on a permanent fix.
