Overview

• The vulnerability, tracked as CVE-2025-10184, enables installed apps to read SMS and MMS without user permission, with some builds also allowing silent message sending.
• OxygenOS 12 through 15 are affected while versions of OxygenOS 11 tested by researchers were not vulnerable.
• Rapid7 validated the issue on the OnePlus 8T and OnePlus 10 Pro and characterized it as a platform-level change rather than device-specific.
• OnePlus acknowledged the flaw and says a fix has been implemented with a global software update scheduled to begin rolling out in mid-October 2025.
• Guidance before patches land includes avoiding SMS for 2FA, removing nonessential or untrusted apps, using authenticator apps or security keys, and for enterprises tightening MDM and IdP policies to inventory at-risk devices and block SMS authentication.