What you need to know
For users of OnePlus devices operating on OxygenOS versions 12 through 15, a significant security vulnerability has been identified. This flaw, designated as CVE-2025-10184, allows malicious applications to access and transmit text messages without user consent. The implications of this are serious; attackers could intercept critical communications, such as two-factor authentication (2FA) codes, or even send messages impersonating the user, thereby facilitating account takeovers.
The root of the issue lies in the introduction of new components—PushMessageProvider, PushShopProvider, and ServiceNumberProvider—by OnePlus. Unfortunately, these components were not adequately secured, allowing harmful apps to exploit the system through SQL injections or similar methods, thereby bypassing Android’s standard security measures. This vulnerability is particularly alarming, as it poses a greater risk than typical bugs.
Adding to the concern was OnePlus’s delayed response to the situation. Rapid7, the cybersecurity firm that discovered the flaw, reported it back in May 2025 and made several attempts to engage with OnePlus over the ensuing months. It wasn’t until Rapid7 publicly disclosed their findings, complete with a proof of concept, that OnePlus acknowledged the issue.
Fix incoming
In light of the situation, OnePlus has confirmed that a remedy is in the works. The company has announced that a security patch will be rolled out globally in mid-October, as reported by 9to5Google. This patch aims to rectify the permission bypass and effectively close the SMS loophole that has raised so many concerns.
In the interim, OnePlus users are advised to exercise caution regarding app installations. It is crucial to download applications solely from reputable sources, as malicious apps are the primary vector for exploiting this vulnerability. Additionally, users should consider uninstalling any applications that are no longer in use or appear suspicious.
Experts further recommend adopting more secure methods for two-factor authentication, such as utilizing authenticator apps or hardware security keys, rather than relying solely on SMS codes. This proactive approach can help safeguard personal information until the official patch is deployed.
