If in case you have a OnePlus telephone, your textual content messages is perhaps in danger

Cybersecurity firm Rapid7 has recognized a serious new permission bypass vulnerability inside modern OnePlus smartphones referred to as CVE-2025-10184. This novel exploit, if leveraged by unhealthy actors, may allow rogue purposes to learn delicate SMS and MMS textual content message information from the system’s Telephony supplier service — all with out the explicitly granted permission of the consumer.

Theoretically, CVE-2025-10184 may impression all OnePlus units working OxygenOS 12, 14, and 15, although Rapid7 itself solely examined OnePlus 8T and 10 Pro 5G fashions. Older OnePlus handsets working Oxygen 11 (based mostly on Android 11) or earlier look like unaffected by the exploit.

“The problem stems from the truth that delicate inner content material suppliers are accessible with out permission, and are weak to SQL injection. Primarily based on our evaluation, this vulnerability could possibly be leveraged to bypass the core Android READ_SMS permission to silently exfiltrate customers’ SMS information with out their consent and break SMS-based MFA techniques,” writes Rapid7 in a blog post.

With out stepping into an excessive amount of technical element, it seems that the exploit stems from modifications made by OnePlus to the Android Open Source Project’s (AOSP’s) core Telephony bundle again within the Android 12 days, in an effort to combine further content material suppliers into the service. Whereas the corporate applied the suitable learn permissions into its modification, there was some type of oversight made within the addition of efficient write permissions.

An official repair is on the best way

OnePlus acknowledges the vulnerability and is engaged on a patch

In an announcement provided to 9to5Google, OnePlus has confirmed that it is conscious of this newly-surfaced texting vulnerability discovered inside OxygenOS, and that it has efficiently applied a working repair for it. The corporate goes on to say that the patch shall be pushed out throughout the globe through an over-the-air (OTA) software program replace “ranging from mid-October.”

It is nice to listen to that OnePlus is working to plug this doubtlessly main safety vulnerability throughout its portfolio of handsets. That being mentioned, studies of the corporate failing to reply to Rapid7’s preliminary non-public inquiry are regarding, as are Rapid7’s characterizations of the OnePlus Bug Bounty Program’s “restrictive Non Disclosure Settlement” phrases and situations.

In any case, a repair is on the best way, which implies OnePlus customers can breathe a sigh of reduction. Within the meantime, Rapid7 recommends chopping down on non-essential apps, avoiding the set up of apps from unknown sources, and making use of a devoted authenticator app for two-factor authentication (2FA) versus counting on SMS one-time password (OTP) codes.