Unpatched Vulnerability in OnePlus Devices Lets Any App Read SMS

Security specialists at Rapid7 have discovered a serious flaw in multiple versions of OxygenOS, the Android-based operating system used in OnePlus devices. The vulnerability allows any installed application to access SMS data and metadata—without permissions or user interaction.

Discovery and Disclosure

The issue, tracked as CVE-2025-10184, remains unpatched. Rapid7 says OnePlus has not responded to repeated contact attempts since May 2025. With no vendor action, the researchers opted to publicly disclose the technical details along with a proof-of-concept exploit.

How the Vulnerability Works

The flaw stems from OnePlus modifying the standard Android Telephony package by adding extra exported content providers—PushMessageProvider, PushShopProvider, and ServiceNumberProvider. These providers failed to declare the necessary READ_SMS permission, leaving them accessible to any app by default.

In addition, user input is not properly sanitized. This opens the door to blind SQL injection attacks, which can recover SMS message contents from the database by brute-forcing one character at a time.

“By repeating this algorithm for each character in each row of the subquery, the contents of the database can be extracted—the return value of the update method will indicate whether you guessed the character correctly or not,” Rapid7 explained.

Conditions for Exploitation

Despite READ_SMS being configured correctly, the missing write restrictions allow SMS data extraction under specific conditions:

• The table must contain at least one row so that update() can return a “rows changed” result.
• The provider must allow insert() so an attacker can create a dummy row if the table is empty.
• The sms table must be in the same SQLite file to allow the injected subquery to access it.

Impacted Devices

The vulnerability affects OxygenOS 12 through 15 (based on Android 15). Rapid7 confirmed the bug on OnePlus 8T and OnePlus 10 Pro across multiple OxygenOS and Telephony package versions.

“Although the build numbers in the provided table are specific to the test devices, since the problem affects a core Android component, we expect this vulnerability to impact other OnePlus devices running the mentioned OxygenOS versions. That is, this is not a hardware-specific issue,” Rapid7 noted.

OnePlus Response and User Guidance

After Rapid7’s disclosure, OnePlus acknowledged the issue and stated that it is under investigation. No timeline for patches has been announced.

Until fixes are available, users are advised to:

• Minimize the number of apps installed on OnePlus devices.
• Only install software from verified developers.
• Avoid SMS-based two-factor authentication in favor of OTP apps such as Google Authenticator.
• Use messaging applications with end-to-end encryption for sensitive communications.