OnePlus phone flaw could let devices send out unwanted text messages – so take care who you ping
By Sead Fadilpašić
Copyright techradar
Skip to main content
Tech Radar Pro
Tech Radar Gaming
Close main menu
the business technology experts
België (Nederlands)
Deutschland
North America
US (English)
Australasia
New Zealand
View Profile
Search TechRadar
Expert Insights
Website builders
Web hosting
Best web hosting
Best office chairs
Best website builder
Best antivirus
Expert Insights
Don’t miss these
Google urgently patches major Qualcomm security flaw hitting Android phones – so make sure you update now
A major security flaw in top eSIM system could put billions of devices at risk – here’s what we know
Got no signal? This devious cyberattack can downgrade your phone from 5G to 4G without you knowing
Massive leak of over 115 million US payment cards caused by Chinese “smishing” hackers – find out if you’re affected
Another top vibe coding platform has some worrying security flaws – here’s what we know
Google Messages is getting a new weapon to keep you safe from impersonation scams – here’s how it works
WhatsApp security warning – zero-click bug hits Apple users with spyware, so update now
Sony, JBL and Bose headphones all affected by major Bluetooth security flaw which could let hackers spy on you via microphone
Over 250 malicious apps found targeting Android users in worrying attack – here’s how to stay safe
Security breach reveals Catwatchful spyware is snooping on thousands of phones – here’s how to stay safe
Dangerous WordPress plugin puts over 160,000 sites at risk – here’s what we know
Hacker using backdoor to exploit SonicWall Secure Mobile Access to steal credentials
Google Gemini security flaw could have let anyone access systems or run code
Apple issues customer warning after four spyware campaigns discovered targeting devices
Mitel warns critical security flaw could let hackers completely bypass logins
OnePlus phone flaw could let devices send out unwanted text messages – so take care who you ping
Sead Fadilpašić
25 September 2025
Flaw could also expose SMS 2FA codes
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
(Image credit: Oneplus)
CVE-2025-10184 lets attackers read and send SMS, including 2FA codes
Vulnerability affects OxygenOS versions 12 to 15, used across many OnePlus devices
Rapid7 disclosed flaw after failed contact; OnePlus has not yet released a fix
A vulnerability in the software used in OnePlus smartphones could allow threat actors to send SMS messages on behalf of the victim, experts have warned.
Even worse, it allows them to read SMS contents, including multi-factor authentication codes, in cases when SMS is set up as the secondary 2FA layer of choice, security researchers from Rapid7 reveaked.
The team recently discovered a vulnerability in multiple versions of OxygenOS, the operating system built for OnePlus phones, and based on Google’s Android, which affects the Telephony content provider in OxygenOS between versions 12 and 15, meaning the problem may have been plaguing devices for at least four years.
You may like
Google urgently patches major Qualcomm security flaw hitting Android phones – so make sure you update now
A major security flaw in top eSIM system could put billions of devices at risk – here’s what we know
Got no signal? This devious cyberattack can downgrade your phone from 5G to 4G without you knowing
Late response
The researchers confirmed the flaw working on a OnePlus 8T device, running OxygenOS 12, as well as multiple OnePlus 10 Pro 5G units running OxygenOS 14 and 15.
However, given how OnePlus builds and ships its phones, the researchers stressed that the list of vulnerable devices is a lot, lot longer.
Rapid7 said that since detecting the issue in May 2025, it tried reaching out to OnePlus, but allegedly – to no avail.
After a few failed attempts, the researchers published their findings together with a Proof-of-Concept (PoC) in September, after which OnePlus publicly acknowledged the bug and reportedly started investigating.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
However, by the time this article was published, OnePlus has still not released a fix, which means the bug is still exploitable on many of its devices.
To stay safe, users should keep the number of installed apps to a minimum, install only those from reputable publishers, and switch away from SMS-based two-factor authentication.
Furthermore, communication should be moved away from SMS messages into other apps, such as WhatsApp, Telegram, or similar. The vulnerability is now tracked as CVE-2025-10184, with a severity score of 8.2/10 (high).
OnePlus is a subsidiary of Chinese smartphone manufacturer Oppo, and is known for building premium smartphones at a competitive price.
Via BleepingComputer
You might also like
Nvidia and a Huawei subsidiary shared a building – and now it’s being probed for Chinese espionage
Take a look at our guide to the best authenticator app
We’ve rounded up the best password managers
Sead Fadilpašić
Social Links Navigation
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
Google urgently patches major Qualcomm security flaw hitting Android phones – so make sure you update now
A major security flaw in top eSIM system could put billions of devices at risk – here’s what we know
Got no signal? This devious cyberattack can downgrade your phone from 5G to 4G without you knowing
Massive leak of over 115 million US payment cards caused by Chinese “smishing” hackers – find out if you’re affected
Another top vibe coding platform has some worrying security flaws – here’s what we know
Google Messages is getting a new weapon to keep you safe from impersonation scams – here’s how it works
Latest in Security
Jaguar Land Rover facing costs of “millions per week” following cyberattack – due to a lack of insurance cover
Under the radar – Google warns new Brickstorm malware was stealing data from US firms for over a year
Cisco warns zero-day vulnerability exploited in attacks on IOS software
Experts warn Supermicro motherboards can be infected with “unremovable” new malware – here’s what we know
Python developers targeted with new password-stealing phishing attacks – here’s how to stay safe
Libraseva urges users to patch now as it issues emergency fix following attacks
Latest in News
ChatGPT’s new Pulse feature will help you manage your day with handy visual updates
Sony unleashes another limited edition DualSense with the God of War 20th Anniversary model – and pre-orders start soon
The Last of Us star Troy Baker is headed for MCM London Comic Con for a special ‘Songs: for Joel’ live performance
Sam Altman’s vision for AI is huge – but there’s just one thing standing in his way
Microsoft Flight Simulator 2024 is flying onto PS5 in December, with PSVR 2 support coming in 2026
PlayStation reveals Pulse Elevate speakers designed for PS5 and PC – and they have a pretty weird feature set
LATEST ARTICLES
GoPro Max 2 vs Insta360 X5: which is the new 360 camera king?
This drawing tablet has become my absolute favorite – and the reason is this one simple feature
ChatGPT’s new Pulse feature will help you manage your day with handy visual updates
Huawei is quietly positioning its OS as an Android and Windows rival with launch of a HarmonyOS smart cash register in China
Under the radar – Google warns new Brickstorm malware was stealing data from US firms for over a year
TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.
Contact Future’s experts
Terms and conditions
Privacy policy
Cookies policy
Advertise with us
Web notifications
Accessibility Statement
Future US, Inc. Full 7th Floor, 130 West 42nd Street,
Please login or signup to comment
Please wait…
