Telephony Provider Vulnerability in OnePlus OxygenOS
CVE-2025-10184

8.2HIGH

Key Information:

Vendor

Oneplus

Status
Oxygenos
Vendor
CVE Published:
23 September 2025

Badges

πŸ“ˆ TrendedπŸ“ˆ Score: 2,120πŸ‘Ύ Exploit Exists🟑 Public PoCπŸ“° News Worthy

What is CVE-2025-10184?

CVE-2025-10184 is a significant vulnerability affecting the OnePlus OxygenOS, the operating system that powers OnePlus smartphones. This vulnerability stems from a flaw in the Telephony provider, which is responsible for managing telecommunications data on the device. Specifically, it allows malicious applications to access SMS and MMS data, along with related metadata, without the user's consent or knowledge. This unauthorized data access can compromise personal communications and sensitive information stored on the device.

The technical root of this vulnerability includes absent permissions connected to several content providers responsible for telephony data management, coupled with a blind SQL injection flaw within the update method of these providers. Consequently, attackers could exploit this flaw to bypass security mechanisms, including those protecting SMS-based Multi-Factor Authentication (MFA) solutions, thus posing serious security risks to users and organizations relying on these authentication methods.

Potential Impact of CVE-2025-10184

  1. Sensitive Data Exposure: Unauthorized access to SMS and MMS content can lead to significant data leaks, including sensitive personal or organizational information. This could expose private communications and potentially allow attackers to gather intelligence for further exploitation.

  2. Compromise of Multi-Factor Authentication: The vulnerability undermines the integrity of SMS-based MFA systems, which are commonly used for securing sensitive transactions and accounts. If attackers can access the SMS data, they could intercept authentication codes, leading to unauthorized account access and identity theft.

  3. Malware Propagation: With the ability to read and access sensitive telephony data, malicious applications could leverage this information to spread malware or coordinate further attacks, significantly heightening the security risks to both devices and networks associated with vulnerable OnePlus devices.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

OxygenOS 12.*

OxygenOS 13.*

OxygenOS 14.*

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-10184 - Proof of Concept

OnePush-CVE-2025-10184
Created by yuuouu

CVE-2025-10184-PoC
Created by Webpage-gh

News Articles

favicon imageBleepingComputer

Unpatched flaw in OnePlus phones lets rogue apps text messages

A vulnerability in multiple OnePlus OxygenOS versions allows any installed app to access SMS data and metadata without requiring permission or user interaction.

References

https://www.rapid7.com/blog/post/cve-2025-10184-oneplus-o...
third-party-advisorytechnical-description
https://assets.contentstack.io/v3/assets/blte4f029e766e6b...
exploit

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • πŸ“ˆ

    Vulnerability started trending

  • πŸ“°

    First article discovered by BleepingComputer

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Calum Hutton
JSON
.