Telephony Provider Vulnerability in OnePlus OxygenOS
CVE-2025-10184

8.2HIGH

Key Information:

Vendor: Oneplus
Status: Oxygenos
Vendor: CVE Published:; 23 September 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-10184?

This vulnerability in the OnePlus OxygenOS allows unauthorized applications to read SMS and MMS data from the Telephony provider without any user consent, notification, or interaction. Users are at risk of sensitive information disclosure, which could undermine the security of SMS-based Multi-Factor Authentication (MFA) systems. The issue stems from missing permissions related to several content providers combined with a blind SQL injection vulnerability in their update methods. As a result, malicious applications might exploit this flaw to access private communications, putting user data at significant risk.

Affected Version(s)

OxygenOS 12.*

OxygenOS 13.*

OxygenOS 14.*

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-10184 - Proof of Concept

References

https://www.rapid7.com/blog/post/cve-2025-10184-oneplus-o...

third-party-advisorytechnical-description

https://assets.contentstack.io/v3/assets/blte4f029e766e6b...

exploit

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Sep 23, 2025
👾
Exploit known to exist
Sep 23, 2025
Vulnerability published
Sep 23, 2025
Vulnerability Reserved
Sep 9, 2025

Credit

Calum Hutton

JSON

Oneplus

Badges

What is CVE-2025-10184?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit