AI description
CVE-2025-12080 involves a misconfigured intent handler in Google Messages on Wear OS. This vulnerability allows attackers with the ability to invoke intents to send messages on behalf of the user without requiring confirmation or explicit permission. The issue stems from the incorrect handling of ACTION_SENDTO intents using the sms:, smsto:, mms:, and mmsto: URI schemes when Google Messages is the default SMS/MMS/RCS app. An attacker could exploit this by distributing an app that appears legitimate and silently sends messages to arbitrary targets without needing user permissions. This could lead to security and financial threats, as the exploitation is stealthy and difficult for users to detect.
- Description
- On Wear OS devices, when Google Messages is configured as the default SMS/MMS/RCS application, the handling of ACTION_SENDTO intents utilizing the sms:, smsto:, mms:, and mmsto: Uniform Resource Identifier (URI) schemes is incorrectly implemented. Due to this misconfiguration, an attacker capable of invoking an Android intent can exploit this vulnerability to send messages on the user’s behalf to arbitrary receivers without requiring any further user interaction or specific permissions. This allows for the silent and unauthorized transmission of messages from a compromised Wear OS device.
- Source
- cve-coordination@google.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 6.9
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- MEDIUM
- cve-coordination@google.com
- CWE-345
- Hype score
- Not currently trending
🛠️ Silent Message Sending in WearOS (CVE-2025-12080) Google Messages vulnerability enables covert messaging. PoC and detailed analysis: https://t.co/jmH7E2JmjD https://t.co/OO9JxXfJVW https://t.co/lZV62GnVqk
@IntCyberDigest
11 Nov 2025
2189 Impressions
1 Retweet
18 Likes
6 Bookmarks
0 Replies
0 Quotes
⚠️ Wear OS Flaw Lets Apps Send SMS Without Consent TL;DR • CVE-2025-12080 in Google Messages allows any app to send texts via intent abuse. • Bypasses permissions, enabling silent fraud or phishing on smartwatches. • Patched now, but highlights Wear OS ecosystem risks f
@mobilengineer
2 Nov 2025
57 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Google Wear OS Flaw Allows Apps to Send Texts Sans Permission A critical vulnerability (CVE-2025-12080) in Google Messages for Wear OS exposes millions of users to risks. It allows any app to send texts on behalf of users without permissions or confirmation, risking unauthorized
@Secwiserapp
29 Oct 2025
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Vulnerability in Google Messages for Wear OS resulted in invoking intents to send messages without permission (CVE-2025-12080) discovered by and awarded $2,250.00 by Google https://t.co/4TWzTfZPRs
@Endurance448146
29 Oct 2025
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Wear OSに、インストールされた任意のアプリがGoogleメッセージを送信することが可能な脆弱性。CVE-2025-12080で、CVSSv4スコア6.9。sms:, smsto:, mms:, mmsto: URIスキームでのACTION_SENDTOインテントの取扱において、確認プロ
@__kokumoto
29 Oct 2025
730 Impressions
2 Retweets
3 Likes
1 Bookmark
0 Replies
0 Quotes
Vulnerability in Google Messages for Wear OS resulted in invoking intents to send messages without permission (CVE-2025-12080) discovered by and awarded $2,250.00 by https://t.co/bi1MusOcxD
@NotHey275182
28 Oct 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Vulnerability in Google Messages for Wear OS resulted in invoking intents to send messages without permission (CVE-2025-12080) discovered by @Io_no__ and awarded $2,250.00 by Google Blog: https://t.co/0LCUt8uMyE… PoC: https://t.co/ckfUyE3gT6… https://t.co/rYVYAd64NA
@neurasoftdev
28 Oct 2025
73 Impressions
4 Retweets
4 Likes
0 Bookmarks
0 Replies
0 Quotes
Vulnerability in Google Messages for Wear OS resulted in invoking intents to send messages without permission (CVE-2025-12080) and awarded $2,250.00 by Google Blog: https://t.co/Dh82Lg3tbA PoC: https://t.co/9ZasaAwp8h https://t.co/nRnzOQMBCl
@zeeshankghouri
28 Oct 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Vulnerability in Google Messages for Wear OS resulted in invoking intents to send messages without permission (CVE-2025-12080) https://t.co/2QXl9RmkWM
@MuhammadBa42074
27 Oct 2025
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
📱 CVE-2025-12080: A Wear OS bug in Google Messages let apps send SMS via intent URIs without consent. Reported Mar 2025 → bounty awarded → patched May 2025. Read more: https://t.co/lDuKsoGuEe #Google #WearOS #MobileSecurity @ArmoredMobile
@ArmoredMobile
27 Oct 2025
92 Impressions
0 Retweets
4 Likes
0 Bookmarks
0 Replies
0 Quotes
Vulnerability in Google Messages for Wear OS resulted in invoking intents to send messages without permission (CVE-2025-12080) discovered by @Io_no__ and awarded $2,250.00 by Google Blog: https://t.co/YlpilfkxyY PoC: https://t.co/4NGHF3w7cI https://t.co/fWVnvrOICN
@androidmalware2
27 Oct 2025
20908 Impressions
35 Retweets
336 Likes
106 Bookmarks
1 Reply
0 Quotes
In March I found an exposed intent in Google Messages for Wear OS that allowed sending messages without permissions or user confirmation (CVE-2025-12080). Full details in the wup. https://t.co/8NSsuUf1YS
@Io_no__
27 Oct 2025
451 Impressions
2 Retweets
9 Likes
3 Bookmarks
1 Reply
0 Quotes
CVE-2025-12080 On Wear OS devices, when Google Messages is configured as the default SMS/MMS/RCS application, the handling of ACTION_SENDTO intents utilizing the sms:, smsto:, mms:,… https://t.co/iMK7a9tRlj
@CVEnew
27 Oct 2025
287 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes