- CVE-2025-10184 allows attackers to read and send SMS, including 2FA codes
- Vulnerability affects oxygen versions 12 to 15, used on many OnePlus devices
- Rapid7 revealed failures after the failed contact; OnePlus has not yet launched a solution
A vulnerability in the software used on the Smart Telephones OnePlus could allow threat actors to send SMS messages on behalf of the victim, experts warned.
Worse, it allows them to read the SMS content, including multiple factors authentication codes, in cases where SMS is configured as the secondary partial layer of choice, Rapid7 Revaked security researchers.
The team recently discovered a vulnerability in multiple versions of oxygenos, the operating system created for OnePlus phones, and based on Android of Google, which affects the supplier of oxygen telephone content between versions 12 and 15, which means that the problem may have been placing devices for at least four years.
Late response
The researchers confirmed the fault that worked on an 8T OnePlus device, which executes oxygens 12, as well as multiple OnePlus 10 Pro 5G units that run oxygenos 14 and 15.
However, given the way in which OnePlus builds and sends their phones, the researchers emphasized that the list of vulnerable devices is much longer.
Rapid7 said that since he detected the problem in May 2025, he tried to reach OnePlus, but supposedly, in vain.
After some failed attempts, the researchers published their findings together with a proof of concept (PIC) in September, after which OnePlus publicly recognized the error and, according to the reports, began to investigate.
However, by the time this article was published, OnePlus has not yet published a solution, which means that the error is still exploitable in many of its devices.
To stay safe, users must maintain the amount of applications installed minimum, install only those of good reputation editors and change the authentication of two factors based on SMS.
In addition, communication must move away from SMS messages to other applications, such as WhatsApp, Telegram or similar. Vulnerability is now traced as CVE-2025-10184, with a gravity score of 8.2/10 (high).
OnePlus is a subsidiary of the Chinese manufacturer of smartphones Oppo, and is known for building premium smartphones at a competitive price.
Through Bleepingcomputer
