If you are using a OnePlus smartphone running OxygenOS 12, 14, or 15, we have news that should be concerning to you. Earlier this week, cybersecurity firm Rapid7 revealed that OnePlus smartphones running these OxygenOS versions have a major security flaw that could allow malicious apps access to SMS and MMS data on your smartphone without permission, user interaction, or consent.
The firm also said that the “user is also not notified that SMS data is being accessed,” which “could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks.”
Rapid7 tested and confirmed the vulnerability on various OnePlus smartphones and OxygenOS builds, as listed in the table below.
Device / Model
Package version
OxygenOS Version
Build Number
OnePlus 8T / KB2003
3.4.135
12
KB2003_11_C.33
OnePlus 10 Pro 5G / NE2213
14.10.30
14
NE2213_14.0.0.700(EX01)
OnePlus 10 Pro 5G / NE2213
15.30.5
15
NE2213_15.0.0.502(EX01)
OnePlus 10 Pro 5G / NE2213
15.30.10
15
NE2213_15.0.0.700(EX01)
OnePlus 10 Pro 5G / NE2213
15.40.0
15
NE2213_15.0.0.901(EX01)
The cybersecurity firm stated that this vulnerability, tracked as CVE-2025-10184, was introduced as part of OxygenOS 12, as the versions of OxygenOS 11 it tested were not vulnerable to this issue.
Moreover, while Rapid7 said that this security flaw “does not seem to be a hardware-specific issue,” its potential impact is considered to be high as it affects a core component of Android, and OnePlus devices other than the 8T or 10 Pro 5G running OxygenOS 12, 14, or 15 could also be vulnerable to it.
OnePlus 10 Pro 5G
Rapid7 first contacted OnePlus on May 1, 2025, to discuss this issue, and since then, it reached out to OnePlus and Oppo half a dozen times before publicly disclosing its findings on September 23, 2025. A day later, OnePlus responded to Rapid7, acknowledging the firm’s disclosure and informing them that the Chinese brand is investigating the issue.
OnePlus 8T
OnePlus 10 Pro
OnePlus didn’t tell Rapid7 what steps it would be taking; however, in a statement shared with 9to5Google later, a OnePlus spokesperson said, “We acknowledge the recent disclosure of CVE-2025-10184 and have implemented a fix. This will be rolled out globally via software update starting from mid-October. OnePlus remains committed to protecting customer data and will continue to prioritize security improvements.”
So, what can users of affected OnePlus devices do until the fix arrives in mid-October?
The folks at Rapid7 have advised the users of the affected OnePlus devices to take the following steps:
Only install apps from trusted sources and remove all non-essential apps. This will limit exposure to untrusted apps that may employ this permission bypass to read SMS/MMS data.
Review what third-party services use SMS based multi-factor authentication (MFA) and change those services to instead use an authenticator app. This will limit sensitive information being sent to your device over SMS.
For additional privacy of text messages, users can use end-to-end encrypted messenger apps instead of SMS based communication. This will limit sensitive information being sent to your device over SMS.
For third-party services that send SMS based notifications, it may be possible to change to in-app push notifications. This will limit sensitive information being sent to your device over SMS.
You can click here to read the full disclosure by Rapid7 for more details.