Abstract
- Safety firm Rapid7 has uncovered a significant vulnerability inside OnePlus telephones that would depart customers’ SMS and MMS texting knowledge uncovered to unhealthy actors.
- This safety danger seems to impression all newer OnePlus telephones working OxygenOS 12 and later, although Rapid7 has solely examined OnePlus 8T and 10 Professional 5G fashions.
- OnePlus has since acknowledged the vulnerability, and has confirmed plans to roll out a software program patch within the coming weeks.
Cybersecurity firm Rapid7 has recognized a significant new permission bypass vulnerability inside modern OnePlus smartphones known as CVE-2025-10184. This novel exploit, if leveraged by unhealthy actors, may allow rogue functions to learn delicate SMS and MMS textual content message knowledge from the system’s Telephony supplier service — all with out the explicitly granted permission of the person.
Theoretically, CVE-2025-10184 may impression all OnePlus units working OxygenOS 12, 14, and 15, although Rapid7 itself solely examined OnePlus 8T and 10 Pro 5G fashions. Older OnePlus handsets working Oxygen 11 (primarily based on Android 11) or earlier look like unaffected by the exploit.
“The problem stems from the truth that delicate inner content material suppliers are accessible with out permission, and are weak to SQL injection. Primarily based on our evaluation, this vulnerability could possibly be leveraged to bypass the core Android READ_SMS permission to silently exfiltrate customers’ SMS knowledge with out their consent and break SMS-based MFA techniques,” writes Rapid7 in a blog post.
With out entering into an excessive amount of technical element, it seems that the exploit stems from modifications made by OnePlus to the Android Open Source Project’s (AOSP’s) core Telephony bundle again within the Android 12 days, with the intention to combine further content material suppliers into the service. Whereas the corporate carried out the suitable learn permissions into its modification, there was some type of oversight made within the addition of efficient write permissions.
An official repair is on the way in which
OnePlus acknowledges the vulnerability and is engaged on a patch
In an announcement provided to 9to5Google, OnePlus has confirmed that it is conscious of this newly-surfaced texting vulnerability discovered inside OxygenOS, and that it has efficiently carried out a working repair for it. The corporate goes on to say that the patch might be pushed out throughout the globe by way of an over-the-air (OTA) software program replace “ranging from mid-October.”
It is nice to listen to that OnePlus is working to plug this doubtlessly main safety vulnerability throughout its portfolio of handsets. That being stated, stories of the corporate failing to answer Rapid7’s preliminary non-public inquiry are regarding, as are Rapid7’s characterizations of the OnePlus Bug Bounty Program’s “restrictive Non Disclosure Settlement” phrases and situations.
In any case, a repair is on the way in which, which implies OnePlus customers can breathe a sigh of aid. Within the meantime, Rapid7 recommends chopping down on non-essential apps, avoiding the set up of apps from unknown sources, and making use of a devoted authenticator app for two-factor authentication (2FA) versus counting on SMS one-time password (OTP) codes.
Trending Merchandise
