A serious security vulnerability has emerged concerning OnePlus users. Security firm Rapid7 discovered a vulnerability that could expose SMS and MMS data on devices due to changes OnePlus made to the Phone service in Android. This vulnerability allows installed apps to access the content of text messages without any permission, user interaction, or approval.
According to Rapid7, the issue was identified in OxygenOS versions 12, 14, and 15. However, devices running OxygenOS 11 or earlier, released in 2020, are not believed to be affected. While the company only tested the OnePlus 8T and 10 Pro 5G models, it emphasized that the vulnerability is hardware-agnostic and relies on core Android components.
OnePlus acknowledges the issue
OnePlus acknowledged the vulnerability but stated that it requires time to fix it. The company announced that patches for the vulnerability, identified as CVE-2025-10184, will be distributed globally through updates starting in mid-October.
Rapid7 explained that it had attempted to contact OnePlus privately but was unsuccessful. Furthermore, due to the company’s strict privacy policies, the bug bounty program was not an option. Consequently, the company decided to release a public statement.
Until the vulnerability is patched, Rapid7 advises users to take the following precautions:
- Only install apps from trusted sources
- Remove unnecessary apps from the device
- Use encrypted messaging apps instead of SMS
- Prefer authentication apps instead of SMS-based two-factor authentication.
This critical vulnerability is estimated to affect millions of users.
