AI description
CVE-2025-10184 is a permission bypass vulnerability found in multiple versions of OnePlus OxygenOS, an Android-based operating system. It allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without requiring user permission, interaction, or consent. The user is also not notified that SMS data is being accessed. The vulnerability stems from missing permission checks in content providers (PushMessageProvider, PushShopProvider, and ServiceNumberProvider) introduced by OnePlus, combined with a blind SQL injection vulnerability in the update method of those providers. This can be exploited to bypass the core Android READ_SMS permission and silently extract users' SMS data, potentially breaking SMS-based multi-factor authentication.
- Description
- The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers.
- Source
- cve@rapid7.com
- NVD status
- Received
CVSS 4.0
- Type
- Secondary
- Base score
- 8.2
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
- cve@rapid7.com
- CWE-89
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
27
🚨 OnePlus Alert: A CVE-2025-10184 flaw (CVSS 8.2) in OxygenOS lets any malicious app read your SMS—including MFA codes—without permission or warning. Unpatched since OxygenOS 12 (2021). OnePlus says it’s investigating. #cybernews https://t.co/fWBumF9ReY
@Free713PK
26 Sept 2025
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 OnePlus Alert: A CVE-2025-10184 flaw (CVSS 8.2) in OxygenOS lets any malicious app read your SMS—including MFA codes—without permission or warning. Unpatched since OxygenOS 12 (2021).OnePlus says it’s investigating. https://t.co/sEnjp3oqzq #oneplus #oxygenos
@krishna_an33850
26 Sept 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
OnePlusの脆弱性CVE-2025-10184によるSMSデータ漏洩の危険性 https://t.co/TrSQjdmEka #Security #セキュリティー #ニュース
@SecureShield_
25 Sept 2025
55 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-10184 is permission bypass that affects multiple #OnePlus devices running OxygenOS 12–15 (NOT FIXED) with PoC. This vulnerability allows any application installed on the device to read SMS/MMS without permission, user interaction, or consent. https://t.co/OHYZEQYzT6
@neurasoftdev
25 Sept 2025
191 Impressions
3 Retweets
3 Likes
0 Bookmarks
0 Replies
0 Quotes
📰 OnePlus OxyGenos tiene una vulnerabilidad de derivación de permiso, y los atacantes pueden robar mensajes de texto y omitir la protección de MFA (CVE-2025-10184) La vulnerabilidad de OnePlus no tiene parches, los datos de SMS/MFA se están ejecutando desnudos.
@The3Monoss
24 Sept 2025
57 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-10184 is permission bypass that affects multiple #OnePlus devices running OxygenOS 12–15 (NOT FIXED) with PoC. This vulnerability allows any application installed on the device to read SMS/MMS without permission, user interaction, or consent. https://t.co/ZbEnxsGJTJ ht
@androidmalware2
24 Sept 2025
16908 Impressions
57 Retweets
294 Likes
95 Bookmarks
5 Replies
2 Quotes
OnePlusのOxygenOSに深刻な権限回避の脆弱性CVE-2025-10184が発見された。任意のアプリがユーザーの同意なくSMS/MMSを読み取れる欠陥で、多要素認証コードの漏洩にも直結する危険性がある。
@yousukezan
24 Sept 2025
879 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-10184 The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, use… https://t.co/sxmP59IN5x
@CVEnew
23 Sept 2025
210 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes