"Security company Rapid7 was first to discover the vulnerability, which relates to changes OnePlus made to the Telephony service within Android. The long and short of it is that it would allow installed apps to access SMS data "without permission, user interaction, or consent." The company found the flaw on devices running OxygenOS 12, 14, and 15, though reported that the older OxygenOS 11, based on Android 11, is not vulnerable."
"OnePlus has admitted to the issue, but in a statement given to 9to5Google by an unnamed spokesperson it says a fix won't arrive until mid-October at the earliest. We acknowledge the recent disclosure of CVE-2025-10184 and have implemented a fix. This will be rolled out globally via software update starting from mid-October. OnePlus remains committed to protecting customer data and will continue to prioritize security improvements."
A flaw in OnePlus' modified Android Telephony service allows installed apps to access SMS and MMS data without permission, user interaction, or consent. Rapid7 discovered the issue on devices running OxygenOS 12, 14, and 15 and tested OnePlus 8T and 10 Pro 5G, noting the problem affects a core Android component and is unlikely to be hardware-specific. OnePlus confirmed the vulnerability and plans a global software update starting mid-October. Rapid7 advises installing apps only from trusted sources, removing unnecessary apps, switching to encrypted messaging, and avoiding SMS-based two-factor authentication until patched.
Read at The Verge
Unable to calculate read time
Collection
[
|
...
]