OnePlus OxygenOS Phones Face Critical SMS Data Leak Risk

A serious security flaw impacting multiple OnePlus smartphones running OxygenOS 12, 14, and 15 versions has been revealed. This vulnerability allows any app installed on affected devices to access SMS and MMS messages without the user’s permission, interaction, or notification. The flaw bypasses standard Android security permissions and compromises the confidentiality of sensitive text messages, including those used for multi-factor authentication.

The weakness was discovered by cybersecurity researchers at Rapid7 and given the identifier CVE-2025-10184. It originates from OnePlus’s modifications to core Android telephony services starting with OxygenOS 12, introduced in 2021. These modifications added new content providers that lacked proper permission enforcement on write operations. This creates exploitable points where malicious apps can perform blind SQL injection attacks to extract SMS data silently, bypassing the typical READ_SMS permission controls.

Testing confirmed the vulnerability on devices such as the OnePlus 8T running OxygenOS 12 and the OnePlus 10 Pro 5G running versions 14 and 15. While the versions of OxygenOS 11 tested were not affected, the vulnerability likely extends to other OnePlus models running the vulnerable OxygenOS releases. The problem is not attributed to specific hardware but rather to software changes by OnePlus.

The implications are significant. SMS-based multi-factor authentication (MFA) can be bypassed, exposing authentication codes and personal communication to unauthorized parties. Such a flaw could be exploited at scale by state-sponsored threat actors or oppressive regimes seeking to monitor or silence individuals without their knowledge. The victimized user would remain unaware of the unauthorized access to their messaging data.

Rapid7 attempted to notify OnePlus beginning May 2025 but faced difficulties coordinating a proper vulnerability disclosure due to restrictive disclosure terms and lack of timely response. OnePlus acknowledged the issue publicly only after Rapid7 made the findings known on September 23, 2025. The device maker has stated it is preparing a global software update to fix the issue, expected to begin rolling out in mid-October 2025.

Until the fix is widely available, affected users are strongly advised to remove any unnecessary applications, especially those from untrusted sources, to mitigate the risk. Switching from SMS-based MFA to authenticator apps and migrating message communication to end-to-end encrypted platforms can further protect privacy. Additionally, users should consider changing apps that rely on SMS notifications to push notifications where feasible.

Until patches arrive, OnePlus smartphone users on OxygenOS 12 or higher should exercise caution to safeguard their sensitive SMS data from potential exploitation.