OnePlus Phones Face Security Vulnerability
The majority of OnePlus phones in use today may be vulnerable to a security flaw that leaves SMS and MMS data exposed, and it won’t be patched until mid-October. Only OnePlus phones still running 2020’s OxygenOS 11 or earlier are believed to be safe from the flaw, reports 24brussels.
Security company Rapid7 was first to discover the vulnerability, which relates to changes OnePlus made to the Telephony service within Android. The flaw allows installed apps to access SMS data “without permission, user interaction, or consent.” Rapid7 found the vulnerability on devices running OxygenOS 12, 14, and 15, indicating that it may affect a core component of Android and is not hardware-specific.
OnePlus has acknowledged the issue but stated through an unnamed spokesperson to 9to5Google that a fix will not arrive until mid-October at the earliest. The company has committed to protecting customer data and prioritizing security improvements.
We acknowledge the recent disclosure of CVE-2025-10184 and have implemented a fix. This will be rolled out globally via software update starting from mid-October.
Rapid7 announced the discovery on its blog earlier this week; however, OnePlus did not respond until Wednesday. Rapid7 reported attempts to contact OnePlus privately were unsuccessful, leading the firm to reveal the issue publicly. They ruled out the company’s bug bounty program due to a restrictive Non-Disclosure Agreement.
Until the flaw is patched, Rapid7 advises OnePlus device owners to only install apps from trusted sources, uninstall unnecessary applications, switch to encrypted messaging apps, and use authenticator apps instead of SMS-based two-factor authentication.