A critical vulnerability (CVE-2025-10184) in OxygenOS (versions 12 to 15) on OnePlus devices exposes SMS data and metadata to any installed app without requiring permissions or user interaction. The flaw stems from OnePlus modifying Android’s default Telephony package, introducing unsecured content providers (`PushMessageProvider`, `PushShopProvider`, `ServiceNumberProvider`) that lack proper `READ_SMS` permission checks. Worse, unsanitized inputs enable blind SQL injection, allowing attackers to reconstruct SMS content character-by-character by exploiting database queries. While the `read` permission is correctly enforced, the absence of `write` permission restrictions lets malicious apps infer SMS data if prerequisites are met (e.g., non-empty tables or insert capabilities).The vulnerability, discovered by Rapid7 and left unpatched due to OnePlus’s non-response, affects multiple models (e.g., OnePlus 8T, 10 Pro) across all OxygenOS versions since 2022. Attackers could exploit this to bypass 2FA, intercept sensitive messages (e.g., OTPs, financial alerts), or exfiltrate private communications. OnePlus acknowledged the issue only after public disclosure, leaving users exposed until a fix is released. Mitigations include minimizing app installations, avoiding SMS-based 2FA, and using end-to-end encrypted messaging for sensitive data.
TPRM report: https://www.rankiteo.com/company/oneplus
"id": "one0492404092425",
"linkid": "oneplus",
"type": "Vulnerability",
"date": "6/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'All OnePlus Device Users '
'Running OxygenOS 12–15 '
'(Estimated Millions)',
'industry': 'Technology/Hardware',
'location': 'Shenzhen, China',
'name': 'OnePlus (Subsidiary of Oppo)',
'type': 'Consumer Electronics Manufacturer'}],
'attack_vector': ['Local (Installed App)',
'Exploitation of Misconfigured Content Providers',
'Blind SQL Injection'],
'customer_advisories': ['Public Disclosure by Rapid7 with Mitigation '
'Recommendations'],
'data_breach': {'data_exfiltration': 'Possible (Via Blind SQL Injection)',
'file_types_exposed': ['SMS Database (SQLite)'],
'personally_identifiable_information': 'Potential (If SMS '
'Contains PII)',
'sensitivity_of_data': 'High (Potential for Authentication '
'Codes, Personal Messages, Financial '
'Transactions)',
'type_of_data_compromised': ['SMS Content',
'SMS Metadata (e.g., Timestamps, '
'Sender/Recipient Info)']},
'date_detected': '2025-05-01',
'date_publicly_disclosed': '2025-08-16',
'description': 'A vulnerability in multiple versions of OxygenOS, the '
'Android-based operating system from OnePlus, allows any '
'installed app to access SMS data and metadata without '
'requiring permission or user interaction. The flaw arises '
'from OnePlus modifying the stock Android Telephony package to '
'introduce additional exported content providers '
'(PushMessageProvider, PushShopProvider, '
"ServiceNumberProvider) without declaring a 'READ_SMS' write "
'permission. This oversight, combined with unsanitized '
'client-supplied inputs, enables blind SQL injection attacks '
'to reconstruct SMS content from the device database. The '
'vulnerability (CVE-2025-10184) is currently unpatched and '
'exploitable across OxygenOS versions 12 to 15 (latest). '
'Rapid7 researchers confirmed the issue on OnePlus 8T and 10 '
'Pro devices, but it likely affects all OnePlus devices '
'running the vulnerable OxygenOS versions. OnePlus failed to '
'respond to multiple disclosure attempts, prompting Rapid7 to '
'publish technical details and a proof-of-concept (PoC) '
'exploit.',
'impact': {'brand_reputation_impact': 'Potential (Due to Unpatched '
'Vulnerability and Public Disclosure)',
'data_compromised': ['SMS Data', 'SMS Metadata'],
'identity_theft_risk': 'High (If SMS Contains Sensitive '
'Authentication Codes or Personal Data)',
'payment_information_risk': 'High (If SMS Contains Payment-Related '
'OTPs or Transactions)',
'systems_affected': ['OnePlus Devices Running OxygenOS 12–15']},
'investigation_status': 'Ongoing (OnePlus Investigating)',
'lessons_learned': ['Importance of Proper Permission Declarations in Custom '
'Android Implementations',
'Risks of Modifying Stock Android Components Without '
'Security Review',
'Need for Responsive Vendor Communication During '
'Vulnerability Disclosure',
'Criticality of Input Sanitization to Prevent SQL '
'Injection'],
'post_incident_analysis': {'corrective_actions': ['Patch Development '
'(Pending)',
'Security Audit of OxygenOS '
'Telephony Package'],
'root_causes': ["Missing 'READ_SMS' Write "
'Permission in Custom Content '
'Providers',
'Unsanitized Inputs Enabling Blind '
'SQL Injection',
'Lack of Vendor Response to '
'Disclosure Attempts']},
'recommendations': ['OnePlus Should Release an Urgent Patch for All Affected '
'OxygenOS Versions',
'Implement Strict Permission Checks for Content Providers '
'in Future Updates',
'Conduct Comprehensive Security Audits of Custom Android '
'Modifications',
'Enhance Vendor Response Protocols for Vulnerability '
'Disclosures',
'Users Should Disable SMS-Based 2FA and Use App-Based '
'Alternatives',
'Limit App Installations to Trusted Sources Until Patch '
'is Available'],
'references': [{'date_accessed': '2025-08-16',
'source': 'Rapid7 Research Report'},
{'date_accessed': '2025-08-16',
'source': 'BleepingComputer Article'}],
'response': {'communication_strategy': ['Public Acknowledgment by OnePlus '
'(Post-Disclosure)',
'Media Coverage (e.g., '
'BleepingComputer)'],
'containment_measures': ['OnePlus Acknowledged Issue and '
'Launched Investigation '
'(Post-Disclosure)',
'Users Advised to Minimize Installed '
'Apps and Use Trusted Publishers',
'Recommendation to Switch from '
'SMS-Based 2FA to OTP Apps (e.g., '
'Google Authenticator)',
'Advice to Use End-to-End Encrypted '
'Apps for Sensitive Communications'],
'incident_response_plan_activated': 'Yes (After Public '
'Disclosure)',
'remediation_measures': ['Patch Under Investigation (Not Yet '
'Released)']},
'stakeholder_advisories': ['Users Advised to Take Mitigation Steps (e.g., '
'Reduce App Installations, Avoid SMS for Sensitive '
'Data)'],
'title': 'Unpatched SMS Data Exposure Vulnerability in OnePlus OxygenOS '
'(CVE-2025-10184)',
'type': ['Vulnerability',
'Data Exposure',
'Privilege Escalation',
'SQL Injection'],
'vulnerability_exploited': 'CVE-2025-10184 (Improper Permission Handling in '
'OxygenOS Telephony Package)'}