OnePlus confirms your texts aren’t safe from this major Oxygen OS SMS vulnerability

Joe Maring / Android Authority TL;DR OnePlus devices running Oxygen OS 12, 14, and 15 are affected by a serious SMS vulnerability that allows bad apps to secretly read messages. Devices on Oxygen OS 11 aren’t affected. OnePlus has acknowledged the flaw, but unfortunately, a fix will only roll out globally starting in October. If a OnePlus phone is your daily driver, it’s likely affected by a serious vulnerability that can allow bad apps to secretly read your text messages. Uncovered by cybersecurity firm Rapid7, the flaw affects a wide range of OnePlus devices running various versions of Oxygen OS. It poses a significant threat to sensitive and personal information received in SMSes, including codes used for two-factor authentication. What is the vulnerability? The issue is tracked as CVE-2025-10184. It allows malicious apps on affected OnePlus phones to access SMS and MMS data without user permission, interaction, or notification. This means hackers can potentially spy on private messages or bypass security checks that rely on SMS codes. Don’t want to miss the best from Android Authority? Set us as a favorite source in Google Discover to support us and make sure you never miss our latest exclusive reports, expert analysis, and much more. You can also set us as a preferred source in Google Search — find out more here. Rapid7 tested and confirmed the vulnerability on the OnePlus 8T and OnePlus 10 Pro running Oxygen OS 12, 14, and 15. Because the vulnerability affects a core Android system component, researchers warn it could also affect any other OnePlus device running the aforementioned versions of Oxygen OS, and that its impact could be “high.” OnePlus’ response A little late, but OnePlus has acknowledged the problem and says a fix is on the way. Unfortunately, there’s still a while before it rolls out widely. In a statement shared with 9to5Google, the company said: We acknowledge the recent disclosure of CVE-2025-10184 and have implemented a fix. This will be rolled out globally via software update starting from mid-October. OnePlus remains committed to protecting customer data and will continue to prioritize security improvement. Rapid7 says it initially tried to contact OnePlus through its bug bounty program but was unable to do so due to restrictive non-disclosure terms. As a result, the company decided to disclose the flaw publicly. Until the fix is rolled out in October, users on OxygenOS 12 or newer will remain at risk. So ff you’re using a OnePlus phone, it would be wise not to install apps from unknown sources, at least till the fix rolls out. Follow