When you’ve got a OnePlus cellphone, your textual content messages is perhaps in danger

Cybersecurity firm Rapid7 has recognized a significant new permission bypass vulnerability inside modern OnePlus smartphones known as CVE-2025-10184. This novel exploit, if leveraged by unhealthy actors, might allow rogue functions to learn delicate SMS and MMS textual content message knowledge from the system’s Telephony supplier service — all with out the explicitly granted permission of the consumer.

Theoretically, CVE-2025-10184 would possibly influence all OnePlus gadgets operating OxygenOS 12, 14, and 15, although Rapid7 itself solely examined OnePlus 8T and 10 Pro 5G fashions. Older OnePlus handsets operating Oxygen 11 (primarily based on Android 11) or earlier seem like unaffected by the exploit.

“The difficulty stems from the truth that delicate inside content material suppliers are accessible with out permission, and are susceptible to SQL injection. Primarily based on our evaluation, this vulnerability might be leveraged to bypass the core Android READ_SMS permission to silently exfiltrate customers’ SMS knowledge with out their consent and break SMS-based MFA methods,” writes Rapid7 in a blog post.

With out moving into an excessive amount of technical element, it seems that the exploit stems from modifications made by OnePlus to the Android Open Source Project’s (AOSP’s) core Telephony package deal again within the Android 12 days, with the intention to combine further content material suppliers into the service. Whereas the corporate applied the suitable learn permissions into its modification, there was some sort of oversight made within the addition of efficient write permissions.

An official repair is on the way in which

OnePlus acknowledges the vulnerability and is engaged on a patch

In an announcement provided to 9to5Google, OnePlus has confirmed that it is conscious of this newly-surfaced texting vulnerability discovered inside OxygenOS, and that it has efficiently applied a working repair for it. The corporate goes on to say that the patch can be pushed out throughout the globe by way of an over-the-air (OTA) software program replace “ranging from mid-October.”

It is nice to listen to that OnePlus is working to plug this probably main safety vulnerability throughout its portfolio of handsets. That being mentioned, stories of the corporate failing to answer Rapid7’s preliminary personal inquiry are regarding, as are Rapid7’s characterizations of the OnePlus Bug Bounty Program’s “restrictive Non Disclosure Settlement” phrases and situations.

In any case, a repair is on the way in which, which suggests OnePlus customers can breathe a sigh of aid. Within the meantime, Rapid7 recommends chopping down on non-essential apps, avoiding the set up of apps from unknown sources, and making use of a devoted authenticator app for two-factor authentication (2FA) versus counting on SMS one-time password (OTP) codes.