Particle.news
Download on the App Store
3 ARTICLES
·
2w ago

OnePlus Probes Unpatched OxygenOS Flaw Letting Apps Read Texts After Rapid7 Disclosure

The bug lets unprivileged apps infer SMS contents via exposed content providers, enabling MFA bypass.

Image
Image
Image

Overview

  • Rapid7 publicly detailed CVE-2025-10184, an 8.2-severity permission bypass that grants SMS and MMS access with zero user interaction and no special app permissions.
  • The issue traces to OxygenOS changes starting in version 12 and remains present through version 15, with OxygenOS 11 appearing unaffected in tests.
  • Researchers confirmed impact on OnePlus 8T and 10 Pro devices and warned other OnePlus models likely qualify given the core Android component involved.
  • Rapid7 reports months of unanswered outreach to OnePlus and inability to use the vendor’s bug-bounty program due to restrictive NDA terms; OnePlus has now acknowledged the disclosure and says it opened an investigation.
  • With no patch available and no confirmed in-the-wild exploitation reported, users are advised to minimize installed apps, remove non-essential software, shift from SMS-based MFA to authenticator apps, and prefer end-to-end encrypted messaging.