**Name of the Vulnerable Software and Affected Versions**

OnePlus OxygenOS versions 12 through 15

**Description**

A security issue exists in OnePlus devices running OxygenOS, allowing any installed application to read SMS/MMS data and metadata from the system Telephony provider without requiring permission, user interaction, or consent. This can lead to sensitive information disclosure and compromise the security of SMS-based Multi-Factor Authentication (MFA). The root cause is missing permissions for write operations in content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider) and a blind SQL injection in the `update` method of these providers. The vulnerability allows an attacker-controlled application to access SMS data without needing special permissions, exploiting a flaw in the internal content provider `com.android.providers.telephony`. A Proof of Concept (PoC) demonstrates the ability to extract WhatsApp verification codes directly from the database. The issue has been reported as unpatched as of September 25, 2025, and OnePlus has acknowledged the vulnerability and stated a fix will be rolled out globally via software update starting in mid-October.

**Recommendations**

For devices running OxygenOS version 12, update to the version containing the fix when it becomes available in mid-October.

For devices running OxygenOS version 13, update to the version containing the fix when it becomes available in mid-October.

For devices running OxygenOS version 14, update to the version containing the fix when it becomes available in mid-October.

For devices running OxygenOS version 15, update to the version containing the fix when it becomes available in mid-October.