PT-2025-39169 · Unknown +1 · Pushmessageprovider +3

Calum Hutton

Published

2025-09-23

Updated

2025-09-25

CVE-2025-10184

CVSS v4.0

8.2

Vector

AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

**Name of the Vulnerable Software and Affected Versions**

OnePlus devices running OxygenOS versions 12 through 15

**Description**

The issue allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the `update` method of those providers.

**Recommendations**

At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

SQL injection

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89CWE-862

Related Identifiers

CVE-2025-10184

Affected Products

Oxygenos

Pushmessageprovider

Pushshopprovider

Servicenumberprovider

PT-2025-39169 · Unknown +1 · Pushmessageprovider +3

Weakness Enumeration

Related Identifiers

Affected Products

References · 13