- CVE-2025-10184 lets attackers read and send SMS, including 2FA codes
- Vulnerability affects OxygenOS versions 12 to 15, used across many OnePlus devices
- Rapid7 disclosed flaw after failed contact; OnePlus has not yet released a fix
A vulnerability in the software used in OnePlus smartphones could allow threat actors to send SMS messages on behalf of the victim, experts have warned.
Even worse, it allows them to read SMS contents, including multi-factor authentication codes, in cases when SMS is set up as the secondary 2FA layer of choice, security researchers from Rapid7 reveaked.
The team recently discovered a vulnerability in multiple versions of OxygenOS, the operating system built for OnePlus phones, and based on Google’s Android, which affects the Telephony content provider in OxygenOS between versions 12 and 15, meaning the problem may have been plaguing devices for at least four years.
Late response
The researchers confirmed the flaw working on a OnePlus 8T device, running OxygenOS 12, as well as multiple OnePlus 10 Pro 5G units running OxygenOS 14 and 15.
However, given how OnePlus builds and ships its phones, the researchers stressed that the list of vulnerable devices is a lot, lot longer.
Rapid7 said that since detecting the issue in May 2025, it tried reaching out to OnePlus, but allegedly – to no avail.
After a few failed attempts, the researchers published their findings together with a Proof-of-Concept (PoC) in September, after which OnePlus publicly acknowledged the bug and reportedly started investigating.
However, by the time this article was published, OnePlus has still not released a fix, which means the bug is still exploitable on many of its devices.
To stay safe, users should keep the number of installed apps to a minimum, install only those from reputable publishers, and switch away from SMS-based two-factor authentication.
Furthermore, communication should be moved away from SMS messages into other apps, such as WhatsApp, Telegram, or similar. The vulnerability is now tracked as CVE-2025-10184, with a severity score of 8.2/10 (high).
OnePlus is a subsidiary of Chinese smartphone manufacturer Oppo, and is known for building premium smartphones at a competitive price.
Via BleepingComputer
Leave A Comment
You must be logged in to post a comment.