A significant security flaw has been identified in OnePlus’s OxygenOS, potentially allowing any installed application to access SMS and MMS messages without user consent. This vulnerability, labeled CVE-2025-10184, affects multiple OnePlus devices operating on OxygenOS versions 12 through 15. The flaw poses a substantial risk, especially to SMS-based multi-factor authentication (MFA) systems, and could lead to unauthorized access to personal communications.
Discovery and Technical Details
Cybersecurity firm Rapid7 uncovered this permission bypass vulnerability across various OnePlus smartphone models, including the OnePlus 8T and OnePlus 10 Pro 5G. The root cause lies in improperly secured internal content providers within the Android Telephony package (com.android.providers.telephony). These vulnerabilities can be exploited through SQL injection techniques.
Understanding the Vulnerability
The issue exploits Android’s content provider system, which manages structured data access across applications. In its OxygenOS implementation, OnePlus introduced three additional exported content providers not present in stock Android: PushMessageProvider, PushShopProvider, and ServiceNumberProvider. These providers lack adequate permission controls and proper SQL injection protections.
The most critical flaw resides in the ServiceNumberProvider class. Here, the update method accepts arbitrary SQL code through the ‘where’ parameter without proper sanitization. Malicious applications can exploit this weakness to perform blind SQL injection attacks, using Boolean inference techniques to extract SMS data character by character from the device’s message database.
Exploitation Process
The exploitation involves crafting SQL queries with UNION SELECT statements and substr functions to systematically extract message contents. This vulnerability effectively bypasses Android’s READ_SMS permission system, allowing malicious applications to access SMS data silently, without user consent or system notifications. This is particularly concerning as it compromises SMS-based MFA systems used by banking applications, social media platforms, and other security-sensitive services.
Risk Factors
– Affected Products: OnePlus devices running OxygenOS 12, 14, and 15 (e.g., 8T, 10 Pro)
– Impact: Unauthorized reading of SMS and MMS data and metadata; silent bypass of SMS-based MFA
– Exploit Prerequisites:
1. Vulnerable OxygenOS version with unprotected Telephony content providers
2. At least one row in the exposed table or the ability to insert a dummy row
3. Malicious app installed on the device
– CVSS 3.1 Score: 7.8 (High)
Mitigation Strategies
The vulnerability affects OxygenOS versions 12, 14, and 15 across multiple device models. Notably, OxygenOS 11 versions tested were not vulnerable, suggesting the security flaw was introduced during the OxygenOS 12 development cycle in 2021.
Rapid7 estimates that this issue could be exploited by state-sponsored adversaries and authoritarian regimes seeking to monitor communications. Despite multiple disclosure attempts since May 2025, OnePlus has remained unresponsive, leading to public disclosure without vendor coordination.
User Recommendations
To mitigate exposure, users are advised to:
1. Remove Non-Essential Applications: Uninstall apps that are not essential to reduce potential attack vectors.
2. Transition from SMS-Based MFA: Shift to authenticator applications for multi-factor authentication to enhance security.
3. Utilize Encrypted Messaging Platforms: Use end-to-end encrypted messaging platforms for sensitive communications until OnePlus releases security patches addressing CVE-2025-10184.
Conclusion
The discovery of CVE-2025-10184 underscores the importance of robust security measures in mobile operating systems. Users of affected OnePlus devices should take immediate action to protect their personal data and communications. Staying informed about security updates and promptly applying patches is crucial in mitigating such vulnerabilities.
