If in case you have a OnePlus cellphone, your textual content messages could be in danger

Cybersecurity firm Rapid7 has recognized a significant new permission bypass vulnerability inside modern OnePlus smartphones referred to as CVE-2025-10184. This novel exploit, if leveraged by dangerous actors, might allow rogue purposes to learn delicate SMS and MMS textual content message information from the system’s Telephony supplier service — all with out the explicitly granted permission of the person.

Theoretically, CVE-2025-10184 may influence all OnePlus units working OxygenOS 12, 14, and 15, although Rapid7 itself solely examined OnePlus 8T and 10 Pro 5G fashions. Older OnePlus handsets working Oxygen 11 (based mostly on Android 11) or earlier seem like unaffected by the exploit.

“The difficulty stems from the truth that delicate inside content material suppliers are accessible with out permission, and are weak to SQL injection. Primarily based on our evaluation, this vulnerability might be leveraged to bypass the core Android READ_SMS permission to silently exfiltrate customers’ SMS information with out their consent and break SMS-based MFA methods,” writes Rapid7 in a blog post.

With out moving into an excessive amount of technical element, it seems that the exploit stems from modifications made by OnePlus to the Android Open Source Project’s (AOSP’s) core Telephony package deal again within the Android 12 days, with a purpose to combine further content material suppliers into the service. Whereas the corporate applied the suitable learn permissions into its modification, there was some type of oversight made within the addition of efficient write permissions.

An official repair is on the way in which

OnePlus acknowledges the vulnerability and is engaged on a patch

In an announcement provided to 9to5Google, OnePlus has confirmed that it is conscious of this newly-surfaced texting vulnerability discovered inside OxygenOS, and that it has efficiently applied a working repair for it. The corporate goes on to say that the patch shall be pushed out throughout the globe by way of an over-the-air (OTA) software program replace “ranging from mid-October.”

It is nice to listen to that OnePlus is working to plug this doubtlessly main safety vulnerability throughout its portfolio of handsets. That being stated, stories of the corporate failing to reply to Rapid7’s preliminary non-public inquiry are regarding, as are Rapid7’s characterizations of the OnePlus Bug Bounty Program’s “restrictive Non Disclosure Settlement” phrases and situations.

In any case, a repair is on the way in which, which suggests OnePlus customers can breathe a sigh of aid. Within the meantime, Rapid7 recommends chopping down on non-essential apps, avoiding the set up of apps from unknown sources, and making use of a devoted authenticator app for two-factor authentication (2FA) versus counting on SMS one-time password (OTP) codes.