Security researchers report that OnePlus smartphone users remain vulnerable to a critical bug that allows any application to read SMS and MMS data β a flaw that has persisted since late 2021.
Rapid7 revealed in a blog published today that multiple versions of OxygenOS contain this security flaw. Since OxygenOS 11 devices remain unaffected in their tests, researchers believe the vulnerability was introduced with OxygenOS 12, released on December 7, 2021.
Although Rapid7 only used OnePlus phones in its tests, it believes the issue extends to additional OEMs, given that the vulnerable component is within Android itself.
Tracked as CVE-2025-10184 with 8.2 severity rating, the researchers said: βThe issue stems from the fact that sensitive internal content providers are accessible without permission, and are vulnerable to SQL injection.β
The vulnerability operates silently β users receive no alerts when their SMS or MMS data is accessed or transmitted elsewhere. Exploitation requires zero user interaction.
A successful exploit could let attackers bypass SMS-based MFA account protections or give surveillance-hungry governments easy access to messages.
Sad to see that OnePlus has not responded at all to this disclosure.