Millions of OnePlus users face a critical security threat after researchers discovered a vulnerability that allows malicious apps to access SMS and MMS data without any user permission. The flaw affects most OnePlus devices running modern Android versions, with a fix not arriving until mid-October at earliest.
The Android security landscape just took a massive hit. Rapid7 dropped a bombshell this week with the discovery of CVE-2025-10184, a critical vulnerability that's left millions of OnePlus users exposed to potential SMS and MMS data theft.
The flaw stems from changes OnePlus made to Android's Telephony service in newer versions of OxygenOS. In simple terms, any app installed on an affected device can silently harvest your text messages and multimedia messages without asking for permission or alerting you in any way. That's a nightmare scenario for anyone using SMS for banking alerts, two-factor authentication, or sensitive personal communications.
Rapid7's testing confirmed the vulnerability exists across OnePlus devices running OxygenOS 12, 14, and 15. While they only tested the OnePlus 8T and 10 Pro 5G directly, the security firm warns the flaw "affects a core component of Android" and likely impacts the entire OnePlus lineup from recent years. The good news? If you're still running 2020's OxygenOS 11 or earlier, you're in the clear.
The timing of OnePlus's response tells its own story. Rapid7 went public with their findings on Monday after failing to get OnePlus's attention through private channels. The company only acknowledged the issue Wednesday, and their response to 9to5Google was hardly reassuring.
"We acknowledge the recent disclosure of CVE-2025-10184 and have implemented a fix," an unnamed OnePlus spokesperson said. "This will be rolled out globally via software update starting from mid-October. OnePlus remains committed to protecting customer data and will continue to prioritize security improvements."
That mid-October timeline means millions of users remain vulnerable for at least another three weeks. For a security flaw this severe, that's an eternity in cyber security terms. Rapid7 tried working with OnePlus through their bug bounty program but hit a wall with what they called a "restrictive Non Disclosure Agreement."
