Unpatched OnePlus Flaw Exposes SMS Data & Breaks MFA: CVE-2025-10184

Estimated reading time: 7 minutes

Key takeaways:

  • Critical unpatched vulnerability (CVE-2025-10184) in OnePlus OxygenOS.
  • Allows unauthorized access to SMS data, compromising MFA.
  • Affected devices include OnePlus 8T and 10 Pro 5G.
  • Mitigation strategies include switching to authenticator apps and monitoring network traffic.
  • PurpleOps services can help organizations detect and respond to exploitation attempts.

Table of contents:

CVE-2025-10184: OnePlus OxygenOS Telephony Provider Permission Bypass

Rapid7 researchers have identified CVE-2025-10184, a permission bypass vulnerability within OnePlus’s customized OxygenOS Android framework. This flaw enables any application installed on an affected device to read SMS and MMS messages, along with their associated metadata, without requiring explicit user permission, interaction, or consent. The user remains unaware that their SMS data is being accessed. This unauthorized access could lead to sensitive information disclosure and effectively undermine the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The lack of coordination from OnePlus highlights the importance of proactive real-time ransomware intelligence and breach detection to identify vulnerable systems within your supply chain.

Technical Details of the Vulnerability

The vulnerability stems from improperly exposed content providers within OxygenOS. Specifically, the ServiceNumberProvider, along with PushMessageProvider and PushShopProvider, grants access to sensitive SMS data without enforcing the necessary READ_SMS permission. Attackers can exploit this to silently extract SMS data, including MFA codes, financial alerts, and private communications.

Furthermore, the vulnerability exposes OnePlus devices to blind SQL injection. The vulnerable providers do not sanitize inputs, allowing attackers to craft queries to exfiltrate SMS content character by character. This bypasses the core Android READ_SMS permission, enabling silent exfiltration of SMS data without user consent.

Affected Devices

The vulnerability has been confirmed on the following OnePlus models:

  • OnePlus 8T / KB2003, OxygenOS 12 (KB2003\_11\_C.33)
  • OnePlus 10 Pro 5G / NE2213, OxygenOS 14-15 builds (NE2213\_14.0.0.700, 15.0.0.502, 15.0.0.700, 15.0.0.901)

OxygenOS 11 builds were not affected, indicating the introduction of the vulnerability with OxygenOS 12 in 2021. Given the nature of the issue, other OnePlus devices running the specified versions of OxygenOS are likely affected.

Impact of the Vulnerability

The exploitation of CVE-2025-10184 can have severe consequences:

  • SMS-Based MFA Bypass: Attackers can intercept SMS-based MFA codes, gaining unauthorized access to accounts protected by this authentication method.
  • Data Exfiltration: Sensitive information contained in SMS messages, such as financial alerts, personal communications, and password reset links, can be silently exfiltrated.
  • Privacy Violation: Users’ privacy is compromised as their SMS data is accessed without their knowledge or consent.
  • Blind SQL Injection: The ability to perform blind SQL injection exacerbates the risk of data exfiltration, allowing attackers to extract data character by character.

The availability of a proof-of-concept (PoC) further increases the risk, as it lowers the barrier to entry for potential attackers. Organizations should consider implementing supply-chain risk monitoring to detect affected devices within their network and connected third parties.

OnePlus device displaying intercepted SMS messages

Lack of Vendor Patch and Disclosure Challenges

Rapid7’s attempts to coordinate disclosure with OnePlus were unsuccessful. The vendor’s restrictive NDA terms prevented reporting the flaw through their bug bounty program. As a result, CVE-2025-10184 remains unpatched, leaving users vulnerable.

Mitigation Strategies

Given the absence of a vendor patch, users and organizations must implement alternative mitigation strategies:

  • Install Trusted Apps: Only install applications from trusted sources, such as the Google Play Store. Regularly review installed apps and remove any that are unnecessary or appear suspicious.
  • Switch to Authenticator Apps: Migrate from SMS-based MFA to authenticator applications, which generate time-based one-time passwords (TOTP) locally on the device.
  • Use Encrypted Messaging Apps: For sensitive communications, use end-to-end encrypted messaging applications instead of SMS.
  • Opt for In-App Push Notifications: Where possible, choose in-app push notifications instead of SMS alerts for services and applications.
  • Monitor Network Traffic: Organizations should monitor network traffic for unusual activity originating from OnePlus devices, which could indicate exploitation attempts.
  • Implement Mobile Device Management (MDM): Utilize MDM solutions to enforce security policies on mobile devices, such as restricting app installations and monitoring device activity.
  • Regularly Review App Permissions: Periodically review the permissions granted to installed applications and revoke any unnecessary permissions, especially those related to SMS access.

These measures can significantly reduce the risk of exploitation and protect sensitive information. Furthermore, proactively scanning the dark web monitoring service and underground forum intelligence can provide early warnings of threat actors discussing or exploiting this vulnerability.

Relevance to PurpleOps Services

This unpatched OnePlus flaw highlights the importance of several cybersecurity services offered by PurpleOps:

  • Cyber Threat Intelligence Platform: PurpleOps’s platform can be used to gather and analyze information about the vulnerability, including potential exploit methods and attacker tactics. This allows organizations to proactively defend against potential attacks.
  • Dark Web Monitoring Service: PurpleOps can monitor the dark web for discussions about the vulnerability, including the sale of exploits or stolen data. This provides early warning of potential threats.
  • Breach Detection: PurpleOps’s breach detection capabilities can help organizations identify and respond to successful exploitation attempts.
  • Supply-Chain Risk Monitoring: PurpleOps can help organizations assess the risk posed by this vulnerability to their supply chain, identifying affected devices and implementing appropriate mitigation measures.
  • Brand Leak Alerting: PurpleOps can monitor for mentions of sensitive data related to the vulnerability being leaked online, allowing for rapid response and containment.

By leveraging these services, organizations can effectively mitigate the risks associated with CVE-2025-10184 and protect their sensitive data. Additionally, PurpleOps offers penetration testing and red team operations to simulate real-world attacks and identify vulnerabilities before they can be exploited by malicious actors.

Actionable Advice

Technical Readers:

  • Implement network monitoring to detect unusual SMS traffic patterns.
  • Develop custom intrusion detection system (IDS) rules to identify exploitation attempts based on known PoC characteristics.
  • Harden mobile device configurations using MDM solutions to restrict unnecessary app permissions and monitor device activity.

Business Leaders:

  • Prioritize the migration from SMS-based MFA to more secure alternatives like authenticator apps.
  • Invest in cyber threat intelligence and dark web monitoring services to stay informed about emerging threats and vulnerabilities.
  • Conduct regular security assessments, including penetration testing, to identify and address vulnerabilities in your systems and devices.
  • Ensure that your organization has a robust incident response plan in place to handle potential data breaches or security incidents resulting from this vulnerability.
  • Implement comprehensive employee training programs to raise awareness about mobile security risks and best practices.

Conclusion

The unpatched CVE-2025-10184 vulnerability in OnePlus OxygenOS poses a significant risk to users and organizations. The ability to silently access SMS data and bypass MFA protections can have severe consequences. While a vendor patch is unavailable, implementing the recommended mitigation strategies can substantially reduce the risk. Organizations should leverage cyber threat intelligence and other security services to stay informed and proactively defend against potential attacks.

To learn more about how PurpleOps can help you protect your organization from mobile security threats and other cyber risks, explore our platform or contact us for more information here.

FAQ

Q: What is CVE-2025-10184?

A: CVE-2025-10184 is a critical, unpatched vulnerability in OnePlus OxygenOS that allows unauthorized access to SMS data, potentially compromising multi-factor authentication (MFA) protections.

Q: Which OnePlus devices are affected?

A: The vulnerability has been confirmed on OnePlus 8T (OxygenOS 12) and OnePlus 10 Pro 5G (OxygenOS 14-15 builds). Other OnePlus devices running the specified versions of OxygenOS are likely affected.

Q: What are the mitigation strategies for this vulnerability?

A: Mitigation strategies include installing trusted apps, switching to authenticator apps, using encrypted messaging apps, opting for in-app push notifications, monitoring network traffic, implementing Mobile Device Management (MDM), and regularly reviewing app permissions.

Q: How can PurpleOps help with this vulnerability?

A: PurpleOps can help through its Cyber Threat Intelligence Platform, Dark Web Monitoring Service, Breach Detection capabilities, Supply-Chain Risk Monitoring, and Brand Leak Alerting. These services help organizations proactively defend against potential attacks, identify and respond to exploitation attempts, and assess the risk posed by the vulnerability to their supply chain.