CVE-2025-10184

Name of the Vulnerable Software and Affected Versions OnePlus OxygenOS versions 12 through 15

Description A security issue exists in OnePlus devices running OxygenOS 12 through 15, allowing any installed application to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. This bypasses the standard Android permissions and could lead to sensitive information disclosure, potentially breaking the security provided by SMS-based Multi-Factor Authentication (MFA). The root cause is missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider) and a blind SQL injection in the update method of those providers. The vulnerability has been confirmed on devices such as the OnePlus 8T and 10 Pro. Researchers at Rapid7 reported the issue to OnePlus in May 2025, but received no response until public disclosure. The vulnerability allows for the extraction of SMS messages, including verification codes, through a blind SQL injection attack targeting the

ServiceNumberProvider

.

Recommendations Remove all untrusted applications from affected devices. Switch from SMS-based Multi-Factor Authentication (MFA) to authenticator applications. Use encrypted messaging platforms instead of SMS for sensitive communications. Consider switching SMS notifications to push notifications, if possible.