A major security vulnerability in OxygenOS is causing data to be read by malicious apps, including SMS and MMS messages on a number of OnePlus devices, making private data potentially accessible unlawfully. By allowing unauthorized access without user permission, taps, or alerts, the bug is notable for its unusually high level of risk (a pretty bad situation given that devices rely on SMS to accomplish verification), writes security firm Rapid7, which discovered the flaw and disclosed it as CVE-2025-10184.
What Rapid7 Discovered and Why It Matters
Rapid7 has verified the vulnerability on the OnePlus 8T and OnePlus 10 Pro devices running OxygenOS 12, 14, and 15, and notes that the underlying issue may impact other models of OnePlus devices with those builds. OxygenOS 11 devices are not affected. The bug is based on a core Android system component that’s modified by the vendor, providing a way for apps to get around the normal SMS/MMS read permission checks and read data directly from the storage layer of the device.
Why is this so risky? Today, SMS still underlies a massive amount of login flows, password resets, banking alerts, and account recovery. If a malicious app is able to silently read incoming texts, it can snatch one-time codes, then impersonate the user and piggyback onto an initiated check with phishing or SIM-related techniques. Rapid7 describes the impact as high, pointing out that the attack requires no more than a malicious app on the device—no special privileges, no root access, and no user interaction.
Who Is Affected by the OxygenOS SMS Vulnerability
The confirmed exposure zone extends from OxygenOS 12, 14, and 15 on supported OnePlus devices, with testing verified in the case of the 8T and the 10 Pro. As for OxygenOS 11 devices, you’re good to go. Because it is a system-level feature, the bug probably affects both global and carrier SKUs along with dual-SIM handsets, where OTPs are received over the default line in many use cases.
What OnePlus Says and the Patch Timeline Ahead
The flaw has been acknowledged by OnePlus and a fix is in the works. The company said the fix would come as a phased global software update rather than a hotfix—so many affected users may remain vulnerable for some time to come, until they are able to update. “Given that Rapid7 has published vulnerabilities in the past without this program’s collaboration, as well as how ordinary bug bounty programs have more restrictive disclosure terms, it decided that instead of continuing to coordinate with them, it would make a public release.” Related reports suggest that OnePlus is prioritizing the issue.
Why SMS Codes Are at Particular Risk on OnePlus
Security agencies and standards bodies have warned for years that SMS was a weaker second factor than app-based codes or security keys. Texts can be intercepted, shared with others, or read by malware that gets into app stores. Industry reports suggest that attackers are increasingly assaulting what’s known as the “human layer” in smishing and prompt-bombing attacks specifically because these methods bypass strong passwords and take aim at temporary codes.
In stock Android, messages are protected by permissions and role-based access controls that give full read access to the default SMS app. CVE-2025-10184 is worrying simply because it breaches that model at the vendor layer, which in turn imparts eavesdrop capability on apps which would otherwise, by lack of permissions, have no such ability. That’s a breach of an assumption that many people using and building with SMS barely ever question in the first place.
Practical Actions You Can Take Now to Reduce Risk
In the meantime, until you get that patched to your device, use a defense-in-depth strategy:
- Don’t sideload; only use trusted app stores. Review newly installed apps and delete unknown apps.
- What’s your favorite way to stay safe online?
- Get away from SMS-based authentication wherever you can. Move sensitive accounts to an authenticator app or hardware security key.
- Review your phone’s permissions, including those for messaging, accessibility, notification access, and usage data; revoke everything that is not essential.
- Turn Play Protect scan on, keep system components updated, and install vendor updates in time.
- Use unexpected OTP prompts as a red flag. If you receive a code and did not start logging in, assume an attacker is trying to gain access and change your passwords.
Larger Security Lessons for Android Device Vendors
Vendor customization remains something of a double-edged sword: it might add features and polish, but tweaks to sensitive services like telephony, notifications, or permissions come with an outsized security risk. Threat modeling with support from fuzzing and third-party testing must be a mandatory requirement on any change that ships to the components of your stacks which broker access to messages or tokens.
For users, the lesson is simple. Think of SMS as a convenience factor, not something constituting a security boundary. When it comes to an established CVE, noted acknowledgment from the manufacturer, and the non-immediate nature of a patch window, you are talking about going into hardening mode on your accounts and not installing anything that can be suspect. Implement the fix as soon as it comes out—and find some other way to share those OTPs than over text where possible.