- CVE-2025-10184 allows attackers Read and send SMS, including 2FA codes
- Vulnerability affects oxygenos 12 to 15 versions, used on many OnePlus devices
- Rapid7 disclosed a flaw after failed contact; OnePlus has not yet published a corrective
Vulnerability in the software used in OnePlus smartphones could allow threat actors to send SMS messages on behalf of the victim, experts warned.
Worse still, this allows them to read the content of SMS, including multi-factor authentication codes, in cases where SMS is configured as the second second secondary layer of choice, researchers in rapid7 reveaké.
The team recently discovered a vulnerability in several oxygenos versions, the operating system designed for OnePlus phones, and based on Google Android, which affects the supplier of telephone content in oxygenos between versions 12 and 15, which means that the problem can have afflicted the devices for at least four years.
Late response
The researchers confirmed the flaw working on an ONEPLUS 8T device, running Oxygenos 12, as well as several ONPLUS 10 PRO 5G units executing Oxygenos 14 and 15.
However, given how OnePlus builds and ships his phones, the researchers stressed that the list of vulnerable devices is much longer.
Rapid7 said that since detecting the problem in May 2025, he tried to reach out to OnePlus, but allegedly – in vain.
After some unsuccessful attempts, the researchers published their results with proof of concept (POC) in September, after which OnePlus publicly recognized the bug and started to investigate.
However, when this article has been published, OnePlus has still not published a corrective, which means that the bug is always exploitable on many of its devices.
To stay safe, users must keep the number of applications installed at least, install only those of renowned publishers and go to two -factor authentication based on SMS.
In addition, communication must be removed from SMS messages in other applications, such as WhatsApp, Telegram or similar. Vulnerability is now followed in the form of CVE-2025-10184, with a gravity score of 8.2 / 10 (high).
OnePlus is a subsidiary of the Chinese smartphones manufacturer Oppo and is known to build premium smartphones at a competitive price.
Via Bleeping Compompute
