CVE-2025-10184: Unpatched OnePlus Flaw Exposes SMS Data & Breaks MFA, PoC Available

Researchers at Rapid7 have disclosed a critical permission bypass vulnerability in OnePlus OxygenOS, tracked as CVE-2025-10184. The flaw allows any installed application on affected devices to read SMS/MMS messages and metadata without permission, user interaction, or consent.

According to Rapid7, “When leveraged, the vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider… without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed.”

The vulnerability arises from improperly exposed content providers within OnePlus’s customized OxygenOS Android framework. Specifically, researchers found that the ServiceNumberProvider (along with PushMessageProvider and PushShopProvider) in OxygenOS grants access to sensitive SMS data without enforcing the required READ_SMS permission.

Rapid7 explains, “This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks.”

By exploiting the flaw, attackers could silently exfiltrate users’ SMS data, including MFA codes, financial alerts, and private communications.

The vulnerability has been confirmed on the following models:

• OnePlus 8T / KB2003, OxygenOS 12 (KB2003_11_C.33)
• OnePlus 10 Pro 5G / NE2213, OxygenOS 14–15 builds (NE2213_14.0.0.700, 15.0.0.502, 15.0.0.700, 15.0.0.901)

Interestingly, OxygenOS 11 builds were not vulnerable, indicating the flaw was introduced with OxygenOS 12 in 2021. Rapid7 stresses that “as the issue affects a core component of Android, we expect this vulnerability to affect other OnePlus devices running the above versions of OxygenOS.”

Beyond simple permission bypass, the vulnerability also exposes OnePlus devices to blind SQL injection. Because the vulnerable providers allow unsanitized inputs, attackers could craft queries to exfiltrate SMS content character by character.

Rapid7 notes, “Based on our analysis, this vulnerability could be leveraged to bypass the core Android READ_SMS permission to silently exfiltrate users’ SMS data without their consent.”

Their proof-of-concept demonstrated extracting recent SMS messages — including MFA tokens from popular apps — without requesting a single permission.

Attempts to coordinate disclosure with OnePlus were unsuccessful. “Rapid7 was unable to make contact with the affected vendor, OnePlus, in order to coordinate a disclosure of this vulnerability,” the researchers state.

While OnePlus maintains a bug bounty program, its restrictive NDA terms prevented Rapid7 from reporting the flaw through that channel. As a result, CVE-2025-10184 remains unpatched at the time of disclosure.

Since no vendor patch is available, Rapid7 recommends:

• Installing only trusted apps and removing non-essential applications.
• Switching from SMS-based MFA to authenticator apps.
• Using end-to-end encrypted messaging apps instead of SMS for sensitive communication.
• Where possible, opting for in-app push notifications instead of SMS alerts.

Related Posts:

• OnePlus sends IMEI and the phone manufacturer to a Chinese server
• OnePlus admits that 40,000 customers were affected by credit card security breaches
• Fidus: vulnerability on OnePlus site permit hacker to steal sensitive credit card data
• OnePlus investigates sensitive credit card data leak
• US Lawmakers Demand OnePlus Probe: Allegations of Data Transfer to Chinese Servers