OnePlus Phones Hit by Major SMS Security Flaw: What You Need to Know About CVE-2025-10184

A newly discovered vulnerability has put millions of OnePlus smartphone users at risk. The flaw, identified as CVE-2025-10184, allows malicious apps to read and exploit SMS/MMS messages without proper user permissions. Security researchers at Rapid7 uncovered the issue, warning that attackers could potentially bypass app permissions, steal sensitive information, or even intercept two-factor authentication (2FA) codes.

This security flaw has raised serious concerns about smartphone privacy, Android security, and the risks of manufacturer-customized operating systems like OxygenOS.

What Is CVE-2025-10184?

CVE-2025-10184 is a vulnerability found in OxygenOS, the Android-based operating system used on OnePlus devices.

• Affected versions: OxygenOS 12, 14, and 15 (used in several recent OnePlus devices).
• The flaw: Improper access controls allow third-party apps to read SMS and MMS messages without requesting user permission.
• Discovery: Reported by cybersecurity firm Rapid7, which disclosed the issue responsibly to OnePlus before going public.

This effectively undermines Android’s app permission model, giving attackers a way to spy on text communications.

Why This Flaw Is So Dangerous

Unlike other vulnerabilities that require user interaction, this one allows silent exploitation once a malicious app is installed.

Key risks include:

1. Interception of 2FA Codes – Many online services still rely on SMS for authentication. Attackers could hijack accounts if they gain access to these codes.
2. Data Theft – Personal and business conversations, OTPs, and confidential details could be stolen.
3. Phishing & Scams – Cybercriminals could impersonate trusted services by reading and replying to SMS messages.
4. Privacy Breach – SMS logs may reveal personal habits, contacts, and location data.

This flaw shows how custom OS modifications by phone makers can sometimes weaken Android’s built-in security.

Which OnePlus Devices Are Affected?

While OnePlus has not yet released a full list, researchers confirm that popular models running OxygenOS 12–15 are affected. These may include:

• OnePlus 8 series
• OnePlus 9 series
• OnePlus 10 series
• OnePlus 11 (depending on OS build)

Users should check their device version under Settings > About Phone > OxygenOS version.

OnePlus Response & Patch Timeline

As of now, OnePlus has acknowledged the vulnerability but has not issued an immediate patch. The company is working with Rapid7 and Google’s Android team to release security updates.

Security experts recommend users apply all upcoming system updates promptly. Until then, caution is advised when installing apps, especially from outside the Google Play Store.

How Users Can Protect Themselves Now

While waiting for official fixes, users should take precautionary steps:

1. Update OxygenOS regularly – Apply security patches as soon as they’re available.
2. Restrict app installs – Only download apps from Google Play or trusted sources.
3. Enable Google Play Protect – Adds an extra layer of malware detection.
4. Use app-based 2FA instead of SMS – Switch to Google Authenticator, Authy, or Microsoft Authenticator.
5. Monitor accounts – Watch for suspicious logins, unexpected SMS activity, or fraudulent charges.

Broader Implications for Android Security

This case raises bigger questions about Android’s fragmentation problem. While Google enforces strict security on stock Android, customizations by OEMs like OnePlus, Xiaomi, and others can introduce new vulnerabilities.

It also highlights the security weakness of SMS-based 2FA, which experts have long considered unsafe compared to app-based or hardware key authentication.

What This Means for Smartphone Users

According to Rapid7, “This vulnerability highlights how OEM-level modifications can unintentionally erode Android’s permission framework. Users should demand quicker patch cycles and transparent communication from manufacturers.”

For OnePlus, this is a trust challenge. The brand built its reputation on offering a clean, high-performance Android experience. If security flaws continue to emerge, it risks losing credibility among privacy-conscious users.