CVE-2025-10184

Name of the Vulnerable Software and Affected Versions OnePlus OxygenOS versions 12 through 15

Description A significant security issue affects OnePlus devices running OxygenOS. This flaw allows any installed application to read SMS/MMS data and metadata from the system Telephony provider without requiring user permission, interaction, or consent. The user is not notified that their SMS data is being accessed. This could compromise sensitive information and undermine the security of SMS-based Multi-Factor Authentication (MFA). The root cause is missing write permissions in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider) and a blind SQL injection vulnerability in the

update

method of these providers. The vulnerability allows an attacker to extract SMS messages through boolean queries. The issue was discovered in May 2025 and publicly disclosed in September 2025. While OnePlus acknowledged the issue, a patch was not immediately available, with a rollout planned for mid-October 2025.

Recommendations Update your device to the latest OxygenOS version as soon as the patch is available, starting mid-October 2025. Remove any untrusted applications from your device. Switch from SMS-based Multi-Factor Authentication (MFA) to an authenticator app. Use encrypted messaging applications instead of SMS for sensitive communications. Consider switching SMS notifications to push notifications.