In case you have a OnePlus telephone, your textual content messages may be in danger

Cybersecurity firm Rapid7 has recognized a significant new permission bypass vulnerability inside modern OnePlus smartphones known as CVE-2025-10184. This novel exploit, if leveraged by dangerous actors, might allow rogue purposes to learn delicate SMS and MMS textual content message knowledge from the system’s Telephony supplier service — all with out the explicitly granted permission of the consumer.

Theoretically, CVE-2025-10184 may influence all OnePlus units operating OxygenOS 12, 14, and 15, although Rapid7 itself solely examined OnePlus 8T and 10 Pro 5G fashions. Older OnePlus handsets operating Oxygen 11 (based mostly on Android 11) or earlier look like unaffected by the exploit.

“The difficulty stems from the truth that delicate inside content material suppliers are accessible with out permission, and are weak to SQL injection. Based mostly on our evaluation, this vulnerability might be leveraged to bypass the core Android READ_SMS permission to silently exfiltrate customers’ SMS knowledge with out their consent and break SMS-based MFA techniques,” writes Rapid7 in a blog post.

With out entering into an excessive amount of technical element, it seems that the exploit stems from modifications made by OnePlus to the Android Open Source Project’s (AOSP’s) core Telephony bundle again within the Android 12 days, as a way to combine additional content material suppliers into the service. Whereas the corporate applied the suitable learn permissions into its modification, there was some sort of oversight made within the addition of efficient write permissions.

An official repair is on the best way

OnePlus acknowledges the vulnerability and is engaged on a patch

In an announcement provided to 9to5Google, OnePlus has confirmed that it is conscious of this newly-surfaced texting vulnerability discovered inside OxygenOS, and that it has efficiently applied a working repair for it. The corporate goes on to say that the patch might be pushed out throughout the globe through an over-the-air (OTA) software program replace “ranging from mid-October.”

It is nice to listen to that OnePlus is working to plug this probably main safety vulnerability throughout its portfolio of handsets. That being stated, experiences of the corporate failing to reply to Rapid7’s preliminary non-public inquiry are regarding, as are Rapid7’s characterizations of the OnePlus Bug Bounty Program’s “restrictive Non Disclosure Settlement” phrases and situations.

In any case, a repair is on the best way, which suggests OnePlus customers can breathe a sigh of reduction. Within the meantime, Rapid7 recommends chopping down on non-essential apps, avoiding the set up of apps from unknown sources, and making use of a devoted authenticator app for two-factor authentication (2FA) versus counting on SMS one-time password (OTP) codes.