A vulnerability in OnePlus’s Android version allows apps to read SMS messages and their content without user permission. The bug has not yet been fixed.
Security researchers from Rapid7 have discovered a leak in OxygenOS. This is the Android skin that OnePlus uses in its phones. Due to a bug in that system, apps on affected devices can gain access to SMS and MMS messages without the user giving permission. The access happens completely invisibly, without notifications or interaction.
The bug, designated as CVE-2025-10184, exploits an underlying Android component that manages messages. Specifically, it involves a so-called content provider, which is normally secured with access rights. At OnePlus, however, certain parts of this system appear to be insufficiently protected, allowing apps to request information through clever queries – even when they officially don’t have access to messages.
Danger for MFA
According to Rapid7, the bug has been present since version 12 of OxygenOS, released in 2021. The researchers have confirmed the bug on devices including the OnePlus 8T and OnePlus 10 Pro with recent software versions. Because the bug is located in a core component of the operating system, it’s very likely that other devices with OxygenOS 12, 13, 14, or 15 are also vulnerable.
An app that exploits this bug can secretly read SMS content. This makes it possible to intercept security codes for multi-factor authentication (MFA), for example.
read also
OnePlus Nord CE 5 Review: Cardio over Muscles
The vulnerability is particularly sensitive, especially in contexts where surveillance poses a risk, such as with governments or activists. Rapid7 warns that both cybercriminals and state actors can use this leak for espionage or data theft.
No Patch, but Action
Rapid7 has tried to contact OnePlus multiple times since May 2025 about the leak. The manufacturer only responded on September 24, one day after Rapid7 made the information public. OnePlus confirmed they would investigate the report, but no solution is available yet. OnePlus was supposed to roll out a patch during October.
Until an official security update is available, Rapid7 recommends:
- Only installing apps from trusted sources.
- Replacing SMS-based MFA with authenticator apps.
- Where possible, not having sensitive information sent via SMS.
- Switching to apps with end-to-end encryption for messaging.
All these suggestions are good advice even outside the context of this security vulnerability.
OnePlus device users would do well to review their apps and be extra vigilant for unexpected access to their data.
What about Oppo?
OnePlus is a subsidiary of Oppo, which also sells phones under its own name in our country. Oppo devices run on ColorOS. That operating system looks different, but has many similarities with OxygenOS under the hood. Rapid7 itself hasn’t heard from Oppo whether there’s also a risk with ColorOS. ITdaily has also asked this question. We will update this article if we receive more information about this.