OnePlus phone flaw could let devices send out unwanted text messages - so take care who you ping

News
By published

Flaw could also expose SMS 2FA codes

Oneplus Phones
(Image credit: Oneplus)
  • CVE-2025-10184 lets attackers read and send SMS, including 2FA codes
  • Vulnerability affects OxygenOS versions 12 to 15, used across many OnePlus devices
  • Rapid7 disclosed flaw after failed contact; OnePlus has not yet released a fix

A vulnerability in the software used in OnePlus smartphones could allow threat actors to send SMS messages on behalf of the victim, experts have warned.

Even worse, it allows them to read SMS contents, including multi-factor authentication codes, in cases when SMS is set up as the secondary 2FA layer of choice, security researchers from Rapid7 reveaked.

The team recently discovered a vulnerability in multiple versions of OxygenOS, the operating system built for OnePlus phones, and based on Google’s Android, which affects the Telephony content provider in OxygenOS between versions 12 and 15, meaning the problem may have been plaguing devices for at least four years.

Late response

The researchers confirmed the flaw working on a OnePlus 8T device, running OxygenOS 12, as well as multiple OnePlus 10 Pro 5G units running OxygenOS 14 and 15.

However, given how OnePlus builds and ships its phones, the researchers stressed that the list of vulnerable devices is a lot, lot longer.

Rapid7 said that since detecting the issue in May 2025, it tried reaching out to OnePlus, but allegedly - to no avail.

After a few failed attempts, the researchers published their findings together with a Proof-of-Concept (PoC) in September, after which OnePlus publicly acknowledged the bug and reportedly started investigating.

However, by the time this article was published, OnePlus has still not released a fix, which means the bug is still exploitable on many of its devices.

To stay safe, users should keep the number of installed apps to a minimum, install only those from reputable publishers, and switch away from SMS-based two-factor authentication.

Furthermore, communication should be moved away from SMS messages into other apps, such as WhatsApp, Telegram, or similar. The vulnerability is now tracked as CVE-2025-10184, with a severity score of 8.2/10 (high).

OnePlus is a subsidiary of Chinese smartphone manufacturer Oppo, and is known for building premium smartphones at a competitive price.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.