Critical Vulnerability in OnePlus OxygenOS Android Phones: CVE-2025-10184

Estimated reading time: 7 minutes

Key takeaways:

  • A critical permission bypass vulnerability (CVE-2025-10184) has been identified in OnePlus smartphones running OxygenOS.
  • This flaw allows unauthorized access to sensitive data, specifically SMS information, via SQL injection attacks.
  • OnePlus has been unresponsive to responsible disclosure attempts, raising concerns about their security practices.
  • Mitigation steps include monitoring network activity, limiting application permissions, and implementing EDR solutions.
  • This incident highlights the importance of supply-chain risk monitoring and cyber threat intelligence services.

Table of Contents:

Permission Bypass Details

Rapid7 security researchers discovered the permission bypass vulnerability in several versions of OxygenOS running on OnePlus smartphones. The core issue lies in the fact that sensitive internal content providers on the affected devices can be accessed without proper permission checks, making them vulnerable to SQL injection attacks. Successful exploitation allows a threat actor to bypass core Android permissions and extract SMS data without user consent.

OnePlus smartphone showing data breach warning on screen

The affected devices and OxygenOS versions are:

  • OnePlus 8T running OxygenOS version 12
  • OnePlus 10 Pro 5G running OxygenOS versions 14 and 15

The vulnerability does not appear to be present in OxygenOS 11, indicating its introduction in version 12. Rapid7 has stated the issue is not hardware-related.

Lack of Vendor Response

Rapid7 reported difficulties in coordinating a responsible disclosure with OnePlus due to the restrictive terms and conditions associated with OnePlus’s bug bounty program. These restrictions prevented Rapid7 from engaging with the program. Contact attempts to the OnePlus Security Response Center began in May 2025, with multiple follow-ups in July and August, but failed to elicit a response. Contacting OPPO, which has a business relationship with OnePlus, also did not yield any results. Consequently, Rapid7 publicly disclosed CVE-2025-10184, classifying OnePlus as a non-responsive vendor.

Potential Impact

The implications of this vulnerability are significant, especially given the current geopolitical climate. Rapid7 noted that surveillance-related vulnerabilities are of high interest to governments and threat actors, emphasizing the potential for abuse:

  • SMS Data Theft: The most immediate impact is the unauthorized extraction of SMS data.
  • Targeted Surveillance: The flaw could be used by state-sponsored actors and authoritarian regimes to surveil and oppress individuals.

Mitigation Steps

Given the lack of an official patch at the time of disclosure, the following steps can be taken:

  • Monitor Network Activity: Monitor network traffic for anomalous activity originating from OxygenOS devices
  • Limit Application Permissions: Review the SMS permissions granted to applications on the affected OnePlus devices. Revoke permissions for any apps that do not require SMS access.
  • Network Segmentation: Isolate OxygenOS devices on a separate network segment to limit potential damage if a device is compromised.
  • Endpoint Detection and Response (EDR): Implement EDR solutions on OxygenOS devices to detect and respond to potential exploits.
  • Application Control: Whitelist the applications that are allowed to run on the OxygenOS devices to prevent malicious apps from being installed.
  • User Awareness: Educate users about the risks associated with this vulnerability and encourage them to report any suspicious activity.
  • Secure Communications: Implement secure communication channels for sensitive communications to avoid reliance on SMS.

Relevance to PurpleOps Services

The situation with CVE-2025-10184 underlines the importance of several cybersecurity measures offered by PurpleOps:

  • Supply-Chain Risk Monitoring: Supply-Chain Risk Monitoring This incident highlights the risks inherent in the software supply chain, even when dealing with established vendors. PurpleOps’ supply-chain risk monitoring service can provide early warnings about potential vulnerabilities in third-party software used within your organization.
  • Breach Detection: Breach Detection Even with proactive measures, breaches can occur. PurpleOps’ breach detection services can identify and contain intrusions stemming from vulnerabilities like CVE-2025-10184.
  • Cyber Threat Intelligence Platform: Cyber Threat Intelligence Platform Staying informed about emerging threats is crucial. PurpleOps’ cyber threat intelligence platform aggregates and analyzes threat data from various sources, providing actionable intelligence to help organizations anticipate and defend against attacks.
  • Dark Web Monitoring Service: Dark Web Monitoring Service Compromised credentials and leaked data often surface on the dark web. PurpleOps’ dark web monitoring service scans these illicit marketplaces and forums, alerting you to potential data breaches and compromised accounts.
  • Brand Leak Alerting: Brand Leak Alerting This vulnerability could lead to brand reputation damage for organizations using affected OnePlus devices. PurpleOps’ brand leak alerting service monitors online channels for unauthorized use of your brand assets, enabling you to take swift action to mitigate potential damage.

Actionable Advice

For Technical Readers:

  • Implement Network Segmentation: Isolate OxygenOS devices on a separate network segment to limit the potential impact of a successful exploit.
  • Monitor Network Traffic: Analyze network traffic for suspicious activity from OxygenOS devices, such as unusual data transfers or connections to unknown hosts.
  • Implement an EDR Solution: Endpoint Detection and Response (EDR) solutions can detect and block exploit attempts on OxygenOS devices.
  • SQL Injection Protection: Implement input validation and sanitization to prevent SQL injection attacks.

For Non-Technical Readers:

  • Review App Permissions: Check the permissions granted to apps on your OxygenOS device. Revoke permissions for apps that do not require access to SMS data or other sensitive information.
  • Be Cautious with Links: Avoid clicking on links in SMS messages from unknown senders.
  • Keep Devices Updated: Ensure your OxygenOS device is running the latest available software version. While there is no fix from OnePlus currently, future updates may address this vulnerability.
  • Use Secure Messaging Apps: Consider using secure messaging apps that offer end-to-end encryption to protect your communications.

The lack of responsiveness from OnePlus highlights the challenges in securing the modern mobile ecosystem. Organizations must take proactive measures to protect their data and networks, even when vendors fail to address known vulnerabilities promptly.

Real-World Examples

  • Financial Institutions: Banks using OnePlus devices for internal communications risk SMS data theft, potentially exposing sensitive financial information.
  • Healthcare Providers: Medical staff using affected devices could have patient data compromised, violating HIPAA regulations.
  • Government Agencies: Government employees using OnePlus phones may be vulnerable to targeted surveillance by state-sponsored actors.
  • Legal Firms: Law firms using OnePlus devices for client communications risk leaking confidential attorney-client information.

Call to Action

Concerned about vulnerabilities in your mobile device ecosystem? Contact PurpleOps today to learn more about our comprehensive cyber threat intelligence and supply chain risk monitoring services. Let us help you protect your organization from emerging threats. Visit our website at https://www.purple-ops.io/ or contact our sales team for a personalized consultation.

FAQ

Q: What is CVE-2025-10184?

A: CVE-2025-10184 is a high-impact permission bypass vulnerability in OnePlus smartphones running OxygenOS that allows unauthorized access to SMS information.

Q: Which OnePlus devices are affected?

A: Affected devices include OnePlus 8T running OxygenOS version 12 and OnePlus 10 Pro 5G running OxygenOS versions 14 and 15.

Q: Is there a patch available for this vulnerability?

A: As of the disclosure date, there is no official patch available from OnePlus.

Q: What can I do to protect myself?

A: Mitigation steps include monitoring network activity, limiting application permissions, and using secure messaging apps.