Users of some OnePlus smartphones were surprised by news of a major vulnerability with the SMS feature. Those running OxygenOS 12, 14, or 15 should be concerned, as this issue turns their devices insecure. This has been found by a cybersecurity firm, Rapid7, which revealed a major security flaw with OnePlus smartphones running these OxygenOS versions. This flaw could allow malicious apps to access the SMS and MMS data on your smartphone without permission, interaction, or consent.
OnePlus's Security Flaw That Uses SMS
The firm also states that the "user isn't even notified that SMS data is being accessed". This can lead to sensitive information being disclosed, thus breaking the security checks present in the SMS. Rapid7 tested and confirmed the vulnerability on various OnePlus smartphones and OxygenOS builds. You can see the list of devices below.
| Device Model | Package version | OxygenOS Version | Build Number |
| OnePlus 10 Pro 5G / NE2213 | 14.10.30 | 14 | NE2213_14.0.0.700(EX01) |
| OnePlus 10 Pro 5G / NE2213 | 15.30.5 | 15 | NE2213_15.0.0.502(EX01) |
| OnePlus 10 Pro 5G / NE2213 | 15.30.10 | 15 | NE2213_15.0.0.700(EX01) |
| OnePlus 10 Pro 5G / NE2213 | 15.40.0 | 15 | NE2213_15.0.0.901(EX01) |
| OnePlus 8T / KB2003 | 3.4.135 | 12 | KB2003_11_C.33 |
Rapid7 states that this vulnerability, tracked as CVE-2025-10184, was introduced as part of OxygenOS 12. There are versions of OxygenOS 11 that went through the tests but were not vulnerable to this issue. The firm states that this "does not seem to be a hardware-specific issue". In other words, the potential impact is considered high as it affects a core component of Android, and OnePlus devices other than the 8T or 10 Pro 5G running OxygenOS 12, 14, or 15 could also be vulnerable. So while the list above could be considered small, it only shows the tested devices. Many others could also be affected by it.
Read also
OnePlus's Answer to The Case
The firm contacted OnePlus on May 1, 2025, to discuss the issue. Since then, it reached out to OnePlus and Oppo half a dozen times before publicly disclosing its findings on September 23, 2025. A day later, OnePlus responded to Rapid7, acknowledging the firm's disclosure and informing them that an investigation is on the way. However, it didn't tell what steps are being taken. In a statement to 9to5Google, a OnePlus spokesperson later said:
"We acknowledge the recent disclosure of CVE-2025-10184 and have implemented a fix. This will be rolled out globally via software update starting from mid-October. OnePlus remains committed to protecting customer data and will continue to prioritize security improvements."
So an official fix is coming, but don't expect it to land before mid-October.
OnePlus 8T From 2025 is Also Affected by the Issue
How to Protect Your OnePlus Smartphone and Data
Interestingly, the folks at Rapid7 shared some tips for OnePlus smartphone owners. These tips can be followed while an official fix does not come.
- Only install apps from trusted sources and remove all non-essential apps. This will limit exposure to untrusted apps that may employ this permission bypass to read SMS/MMS data.
- Review what third-party services use SMS based multi-factor authentication (MFA) and change those services to instead use an authenticator app. This will limit sensitive information from being sent to your device over SMS.
- For additional privacy of text messages, users can use end-to-end encrypted messenger apps instead of SMS based communication. This will limit sensitive information from being sent to your device over SMS.
- For third-party services that send SMS based notifications, it may be possible to change to in-app push notifications. This will limit sensitive information from being sent to your device over SMS.
You can check all details in Rapid7's disclosure.
loading
Popular News
Latest News
Loading
