Rapid7 security researchers have exposed a critical vulnerability, CVE-2025-10184, in OxygenOS 12 through 15 that allows apps to read sensitive SMS/MMS messages, including OTPs and banking codes, without user permission. OnePlus has remained unresponsive to repeated disclosure attempts by Rapid7 since May 2025, prompting the researchers to go public on September 22, 2025.

• The bug affects OnePlus devices running OxygenOS 12 and above, confirmed on the OnePlus 8T and OnePlus 10 Pro 5G across OxygenOS 12, 14, and 15 builds.
• The vulnerability exploits SQL injection through the Telephony provider in Android to access the SMS database without user knowledge.
• As of September 22, 2025, the bug remains unpatched, with OnePlus offering no official communication or fix, advising users to use trusted apps, switch MFA methods, and use encrypted messaging.