OnePlus Confirms Vulnerability in OxygenOS 12–15 That Could Let Malicious Apps Read Your SMS; Security Patch Expected Next Month

A critical security flaw has been discovered in OxygenOS versions 12 through 15 that allows malicious apps to secretly access users’ SMS and metadata.

The vulnerability, tracked as CVE-2025-10184, was first identified by security firm Rapid7. It enables a rogue app to read text messages without any user interaction or visible notification, raising serious concerns for SMS-based multi-factor authentication (MFA), as one-time passwords (OTPs) could be intercepted.

During testing, Rapid7 confirmed the flaw on the OnePlus 8T running OxygenOS 12 and the OnePlus 10 Pro 5G running OxygenOS 14 and 15. However, the issue was not present on OxygenOS 11, suggesting it was introduced starting with OxygenOS 12, released in 2021.

As of now, the vulnerability remains unpatched. In a statement to 9to5Google, OnePlus acknowledged the issue and said a security patch will begin rolling out globally from mid-October.

We acknowledge the recent disclosure of CVE-2025-10184 and have implemented a fix. This will be rolled out globally via software update starting from mid-October. OnePlus remains committed to protecting customer data and will continue to prioritize security improvement.

Until the fix becomes available, it is advisable to take precautions. Rapid7 recommends the following steps:

• Only install apps from trusted sources and remove all non-essential apps. This reduces the risk of untrusted apps exploiting the flaw to read SMS/MMS data.
• Review third-party services that rely on SMS-based MFA and switch to an authenticator app where possible. This prevents sensitive codes from being sent via SMS.
• Use end-to-end encrypted messaging apps instead of SMS for private conversations, reducing the chances of sensitive information being exposed.
• Change SMS-based notifications to in-app push notifications for third-party services, where available, to limit sensitive information sent through SMS.