AI description
CVE-2025-10184 is a permission bypass vulnerability found in multiple versions of OnePlus OxygenOS, an Android-based operating system. It allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without requiring user permission, interaction, or consent. The user is also not notified that SMS data is being accessed. The vulnerability stems from missing permission checks in content providers (PushMessageProvider, PushShopProvider, and ServiceNumberProvider) introduced by OnePlus, combined with a blind SQL injection vulnerability in the update method of those providers. This can be exploited to bypass the core Android READ_SMS permission and silently extract users' SMS data, potentially breaking SMS-based multi-factor authentication.
- Description
- The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers.
- Source
- cve@rapid7.com
- NVD status
- Received
CVSS 4.0
- Type
- Secondary
- Base score
- 8.2
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
- cve@rapid7.com
- CWE-89
- Hype score
- Not currently trending
OnePlus CVE-2025-10184 ranjivost https://t.co/oMkGTI384r #curenjeinformacija #dataleak #oneplusproblemi #oneplusranjivost #oneplussecurity #pametnitelefon #phonevulnerability #privatnostkorisnika #rizikzapodatke #securityalert #sigurnosttelefona #zlonamjerneaplikacije
@SajberInfoBlog
4 Oct 2025
39 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 OnePlus SMS/MMS flaw (CVE-2025-10184) • Discovered by Rapid7 this week • Affects OxygenOS 12, 14, 15 (OnePlus 9 → 12 series) • Malicious apps can access SMS/MMS without user consent OnePlus confirms: patch arriving mid-October 2025. Until then: 🔒 What to do •
@mobilengineer
30 Sept 2025
175 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
OnePlus smartphones running OxygenOS versions 12 through 15 contain a critical security vulnerability, CVE-2025-10184, allowing malicious apps to read & send SMS message without user permission, affecting millions of devices https://t.co/LYW4p86tzh via @ET_CISO
@AYogesa
29 Sept 2025
52 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
OnePlus CVE-2025-10184: Ditch SMS 2FA Now https://t.co/AO1XiZWNOP
@ytroncal
28 Sept 2025
33 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical OnePlus security flaw (CVE-2025-10184) affects OxygenOS 12, 14, & 15! 😱 Malicious apps can read your SMS/MMS, bypassing 2FA. Fix coming Mid-October. Update ASAP! ⚠️📱 #OnePlus #SecurityAlert #Android https://t.co/z5AQyYzWGf
@Times_of_Cinema
28 Sept 2025
120 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 OnePlus Security Alert: Critical flaw (CVE-2025-10184) in OxygenOS 12, 14 & 15 lets malicious apps read SMS/MMS without permission, breaking 2FA. Affects OnePlus 8T, 10 Pro & more. 🛑 Fix coming mid-Oct. Until then: use trusted apps, switch to authenticator apps, &
@The_Hunt_x
28 Sept 2025
110 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 OnePlus Security Alert A critical flaw (CVE-2025-10184) found in OxygenOS 12, 14 & 15 lets malicious apps read SMS/MMS without permission, risking 2FA/MFA codes. 📱 Vulnerable builds: • 8T (OOS 12 C.33) • 10 Pro 5G (OOS 14.0.0.700) • 10 Pro 5G (OOS 15.0.0.502/7
@TechJunctionX1
28 Sept 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 OnePlus Security Alert Cyber firm Rapid7 has revealed a critical flaw (CVE-2025-10184) in OnePlus phones running OxygenOS 12, 14 & 15. 👉 Malicious apps can read SMS/MMS without permission, interaction, or notice — breaking SMS-based MFA/2FA security. 📱 Tested v
@techiboy96
28 Sept 2025
19251 Impressions
18 Retweets
270 Likes
47 Bookmarks
11 Replies
1 Quote
🚨 @OnePlus_IN News18 & other outlets reported a major security flaw (CVE-2025-10184) in OnePlus devices. It says apps can read SMS without permission. Can you confirm if this is real or fake, especially for OnePlus Nord 5 5G? Users are worried. #OnePlus #cybersecuritytip
@Saisrinivasmahi
26 Sept 2025
32 Impressions
0 Retweets
0 Likes
0 Bookmarks
2 Replies
0 Quotes
⚠️ Weekly vuln radar from https://t.co/8RzyA4ocnO: CVE-2025-20352 CVE-2025-20333 CVE-2025-20362 CVE-2025-25257 (@0x_shaq) CVE-2024-36401 (Steve Ikeoka) CVE-2025-10035 CVE-2025-10184 (Calum Hutton) CVE-2025-53690 (Andi Slok) CVE-2024-28986 https://t.co/HF5Ob5EPZO
@ptdbugs
26 Sept 2025
207 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
🚨 OnePlus Alert: A CVE-2025-10184 flaw (CVSS 8.2) in OxygenOS lets any malicious app read your SMS—including MFA codes—without permission or warning. Unpatched since OxygenOS 12 (2021). OnePlus says it’s investigating. #cybernews https://t.co/fWBumF9ReY
@Free713PK
26 Sept 2025
56 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 OnePlus Alert: A CVE-2025-10184 flaw (CVSS 8.2) in OxygenOS lets any malicious app read your SMS—including MFA codes—without permission or warning. Unpatched since OxygenOS 12 (2021).OnePlus says it’s investigating. https://t.co/sEnjp3oqzq #oneplus #oxygenos
@krishna_an33850
26 Sept 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A security hole was discovered in OnePlus devices that allows any app to read SMS and MMS (including 2FA) At Rapid7 they found a vulnerability CVE-2025-10184, the problem started when OnePlus engineers played with the Android code and introduced a component called https://t.co/m
@TheDeep_State6
25 Sept 2025
69 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
OnePlusの脆弱性CVE-2025-10184によるSMSデータ漏洩の危険性 https://t.co/TrSQjdmEka #Security #セキュリティー #ニュース
@SecureShield_
25 Sept 2025
55 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-10184 is permission bypass that affects multiple #OnePlus devices running OxygenOS 12–15 (NOT FIXED) with PoC. This vulnerability allows any application installed on the device to read SMS/MMS without permission, user interaction, or consent. https://t.co/OHYZEQYzT6
@neurasoftdev
25 Sept 2025
191 Impressions
3 Retweets
3 Likes
0 Bookmarks
0 Replies
0 Quotes
📰 OnePlus OxyGenos tiene una vulnerabilidad de derivación de permiso, y los atacantes pueden robar mensajes de texto y omitir la protección de MFA (CVE-2025-10184) La vulnerabilidad de OnePlus no tiene parches, los datos de SMS/MFA se están ejecutando desnudos.
@The3Monoss
24 Sept 2025
57 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-10184 is permission bypass that affects multiple #OnePlus devices running OxygenOS 12–15 (NOT FIXED) with PoC. This vulnerability allows any application installed on the device to read SMS/MMS without permission, user interaction, or consent. https://t.co/ZbEnxsGJTJ ht
@androidmalware2
24 Sept 2025
16908 Impressions
57 Retweets
294 Likes
95 Bookmarks
5 Replies
2 Quotes
OnePlusのOxygenOSに深刻な権限回避の脆弱性CVE-2025-10184が発見された。任意のアプリがユーザーの同意なくSMS/MMSを読み取れる欠陥で、多要素認証コードの漏洩にも直結する危険性がある。
@yousukezan
24 Sept 2025
879 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-10184 The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, use… https://t.co/sxmP59IN5x
@CVEnew
23 Sept 2025
210 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes