Security Vulnerability in OnePlus Smartphones Exposed
Security researchers have identified a significant vulnerability affecting OnePlus smartphone users, which has persisted since late 2021. According to a recent blog post by Rapid7, multiple versions of OxygenOS are susceptible to a flaw that allows any application to access SMS and MMS data without user consent. Notably, devices running OxygenOS 11 appear to be unaffected, suggesting that the issue was introduced with the release of OxygenOS 12 on December 7, 2021.
This vulnerability, tracked as CVE-2025-10184 and rated with a severity of 8.2, arises from sensitive internal content providers being accessible without proper permissions, making them vulnerable to SQL injection attacks. The researchers emphasized that this flaw operates discreetly, meaning users are not alerted when their SMS or MMS data is accessed or transmitted elsewhere. Importantly, exploitation of this vulnerability requires no user interaction.
A successful exploit could enable attackers to bypass SMS-based multi-factor authentication (MFA) protections, potentially granting surveillance-oriented entities unfettered access to personal messages. The flaw resides within the internal content provider com.oneplus.provider.telephony, which is integral to the Android platform. Content providers are designed to manage data access through APIs and enforce permissions to prevent unauthorized access, but this vulnerability circumvents those safeguards entirely.
Rapid7 has not confirmed whether this vulnerability has been exploited in real-world scenarios. However, the firm has provided detailed insights into how an exploit could be executed, including code snippets—an unusual move for a critical vulnerability that remains unpatched. While sharing such details is generally avoided, it can sometimes serve as a last-ditch effort to prompt a vendor to address a looming threat.
Despite multiple outreach attempts since May 1, Rapid7 reported that OnePlus has not engaged in discussions to remediate the issue. The timeline of disclosures indicates that after initial contact with the OnePlus Security Response Center (OneSRC) yielded no results, Rapid7 attempted to escalate the matter through OnePlus’s customer support, which promised a response that never materialized. Subsequent efforts to reach OnePlus via its X account and through competitor Oppo also proved fruitless.
As of now, Rapid7 has classified OnePlus as a non-responsive vendor, prompting the public disclosure of this vulnerability. The firm noted, “This vulnerability affects a wide range of OxygenOS versions and multiple OnePlus devices, and we consider the potential impact to be high.”
In the absence of a patch, Rapid7 advises OnePlus users to take precautionary measures, including:
- Only installing applications from trusted sources.
- Removing any non-essential applications.
- Transitioning from SMS-based MFA to authenticator app-based alternatives.
- Opting for encrypted messaging applications instead of traditional SMS.
The Register has reached out to OnePlus for a response and will provide updates as more information becomes available.
