CVE-2025-12080

CVSS v4.0

6.9

Vector

AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N

Name of the Vulnerable Software and Affected Versions Google Messages on Wear OS (affected versions not specified)

Description A misconfiguration in the handling of

ACTION SENDTO

intents utilizing the

sms:

smsto:

mms:

, and

mmsto:

Uniform Resource Identifier (URI) schemes allows for unauthorized message transmission. An attacker capable of invoking an Android intent can send messages on a user’s behalf to arbitrary receivers without user interaction or permissions. This enables silent and unauthorized message transmission from a compromised Wear OS device. An intent is a messaging component used to request an action from another app component. The vulnerability arises from incorrect implementation when Google Messages is set as the default SMS/MMS/RCS application.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-345

Related Identifiers

CVE-2025-12080

Affected Products

Google Messages For Wear Os

CVE-2025-12080

Weakness Enumeration

Related Identifiers

Affected Products

References · 15