A vulnerability in multiple versions of OnePlusβs OxygenOS allows apps to access SMS data without permission, due to unsafe exported content providers. This unpatched flaw impacts several device models and could enable data exfiltration through SQL injection techniques. #CVE-2025-10184 #OnePlusOxygenOS
Keypoints
- The vulnerability affects OxygenOS versions from 12 to 15 across various OnePlus devices.
- The flaw arises from non-declared read permissions and unsafe exported content providers in the Telephony package.
- Rapid7 researchers discovered that the issue could lead to SQL injection-based data exfiltration of SMS content.
- OnePlus has not yet responded to disclosures, but the company has begun an investigation after public disclosure.
- Users are advised to minimize app permissions, trust only reputable apps, and switch to encrypted OTP apps for two-factor authentication.