PoC Released for Unpatch OnePlus Flaw: Any App Can Read Your SMS Messages

A critical vulnerability, CVE-2025-10184, has been identified in the OxygenOS operating system used on OnePlus smartphones, allowing any application on the device to read the contents of SMS messages and related metadata without requesting permissions. The flaw was discovered by Rapid7 researchers, who reported that the issue affects all system versions from OxygenOS 12 through the current OxygenOS 15. Despite repeated notifications, the manufacturer has yet to issue a patch, and initial reports from researchers went unanswered.

The root cause lies in OnePlus’s modification of the standard Android Telephony package, where the company introduced new exported providers—PushMessageProvider, PushShopProvider, and ServiceNumberProvider. These providers lack explicit permission requirements for the READ_SMS operation in their manifests, enabling unrestricted data access to any installed application.

The situation is further exacerbated by the absence of input request filtering, creating an opportunity for so-called blind SQL injection, which allows attackers to reconstruct message content line by line from the device’s database. Rapid7 demonstrated a proof-of-concept confirming that SMS data could be extracted under certain conditions, including the presence of specific strings in the database and the availability of insert operations.

The vulnerability was tested on the OnePlus 8T and OnePlus 10 Pro, with results showing that the flaw is not hardware-dependent and affects all OnePlus smartphones running the vulnerable versions of OxygenOS. Between May and August 2025, Rapid7 attempted to contact the company seven times without receiving a response. Only after the public disclosure did OnePlus announce the initiation of an internal review, though it has not provided a timeline for a fix.

Until a security update is released, users are advised to minimize the number of installed applications, install software only from trusted developers, and avoid SMS-based authentication in favor of one-time code generators. For transmitting sensitive information, it is safer to rely on end-to-end encrypted messaging services, as SMS on OnePlus devices are not adequately isolated.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy