Security researchers from Rapid7 disclosed an unpatched vulnerability in OnePlus OxygenOS that could allow any installed app to access SMS data and metadata without permissions or user interaction. The flaw, tracked as CVE-2025-10184, affects OxygenOS across versions 12 through 15 and remains unpatched, according to Rapid7’s analysis.
The vulnerability stems from OnePlus altering the stock Android Telephony package to introduce additional exported content providers, such as PushMessageProvider, PushShopProvider and ServiceNumberProvider. The manifest for these providers does not declare a write permission for READ_SMS, leaving SMS data accessible to any app by default, even apps without SMS permissions, according to Rapid7.
Rapid7 describes a proof-of-concept technique that could enable attackers to reconstruct SMS content via a blind SQL injection, using the update method’s return value as a true/false indicator. While the read permission is set, the lack of a write permission enables inference under certain conditions, including: (1) an exposed table containing at least one row; (2) the provider allowing insert() operations; and (3) the sms table sharing the same SQLite database file so the injected subquery can reference it.
The issue affects all OxygenOS versions from 12 up to the latest 15, built on Android 15. Rapid7 tested and confirmed the vulnerability on OnePlus 8T and 10 Pro with various Telephony package numbers, but researchers say the test set is likely non-exhaustive and the flaw is not hardware-specific.
OnePlus acknowledged the disclosure after Rapid7’s publication and said it has started an investigation into the problem. The company did not respond to BleepingComputer’s requests for comment by press time. In the interim, Rapid7 urged device users to minimize installed apps, install software only from reputable publishers, and use OTP apps (such as Google Authenticator) for two-factor authentication instead of SMS-based codes.
Security researchers also advise that sensitive communications should be conducted via end-to-end encrypted apps until a patch is released.