By Sead Fadilpašić

Copyright techradar

Skip to main content

Tech Radar Pro

Tech Radar Gaming

Close main menu

the business technology experts

België (Nederlands)

Deutschland

North America

US (English)

Australasia

New Zealand

View Profile

Search TechRadar

Expert Insights

Website builders

Web hosting

Best web hosting
Best office chairs
Best website builder
Best antivirus
Expert Insights

Don’t miss these

Google urgently patches major Qualcomm security flaw hitting Android phones – so make sure you update now

A major security flaw in top eSIM system could put billions of devices at risk – here’s what we know

Got no signal? This devious cyberattack can downgrade your phone from 5G to 4G without you knowing

Massive leak of over 115 million US payment cards caused by Chinese “smishing” hackers – find out if you’re affected

Another top vibe coding platform has some worrying security flaws – here’s what we know

Google Messages is getting a new weapon to keep you safe from impersonation scams – here’s how it works

WhatsApp security warning – zero-click bug hits Apple users with spyware, so update now

Sony, JBL and Bose headphones all affected by major Bluetooth security flaw which could let hackers spy on you via microphone

Over 250 malicious apps found targeting Android users in worrying attack – here’s how to stay safe

Security breach reveals Catwatchful spyware is snooping on thousands of phones – here’s how to stay safe

Dangerous WordPress plugin puts over 160,000 sites at risk – here’s what we know

Hacker using backdoor to exploit SonicWall Secure Mobile Access to steal credentials

Google Gemini security flaw could have let anyone access systems or run code

Apple issues customer warning after four spyware campaigns discovered targeting devices

Mitel warns critical security flaw could let hackers completely bypass logins

OnePlus phone flaw could let devices send out unwanted text messages – so take care who you ping

Sead Fadilpašić

25 September 2025

Flaw could also expose SMS 2FA codes

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Oneplus)

CVE-2025-10184 lets attackers read and send SMS, including 2FA codes
Vulnerability affects OxygenOS versions 12 to 15, used across many OnePlus devices
Rapid7 disclosed flaw after failed contact; OnePlus has not yet released a fix

A vulnerability in the software used in OnePlus smartphones could allow threat actors to send SMS messages on behalf of the victim, experts have warned.

Even worse, it allows them to read SMS contents, including multi-factor authentication codes, in cases when SMS is set up as the secondary 2FA layer of choice, security researchers from Rapid7 reveaked.
The team recently discovered a vulnerability in multiple versions of OxygenOS, the operating system built for OnePlus phones, and based on Google’s Android, which affects the Telephony content provider in OxygenOS between versions 12 and 15, meaning the problem may have been plaguing devices for at least four years.

You may like

Google urgently patches major Qualcomm security flaw hitting Android phones – so make sure you update now

A major security flaw in top eSIM system could put billions of devices at risk – here’s what we know

Got no signal? This devious cyberattack can downgrade your phone from 5G to 4G without you knowing

Late response
The researchers confirmed the flaw working on a OnePlus 8T device, running OxygenOS 12, as well as multiple OnePlus 10 Pro 5G units running OxygenOS 14 and 15.

However, given how OnePlus builds and ships its phones, the researchers stressed that the list of vulnerable devices is a lot, lot longer.
Rapid7 said that since detecting the issue in May 2025, it tried reaching out to OnePlus, but allegedly – to no avail.
After a few failed attempts, the researchers published their findings together with a Proof-of-Concept (PoC) in September, after which OnePlus publicly acknowledged the bug and reportedly started investigating.

Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
However, by the time this article was published, OnePlus has still not released a fix, which means the bug is still exploitable on many of its devices.
To stay safe, users should keep the number of installed apps to a minimum, install only those from reputable publishers, and switch away from SMS-based two-factor authentication.
Furthermore, communication should be moved away from SMS messages into other apps, such as WhatsApp, Telegram, or similar. The vulnerability is now tracked as CVE-2025-10184, with a severity score of 8.2/10 (high).
OnePlus is a subsidiary of Chinese smartphone manufacturer Oppo, and is known for building premium smartphones at a competitive price.
Via BleepingComputer
You might also like

Nvidia and a Huawei subsidiary shared a building – and now it’s being probed for Chinese espionage
Take a look at our guide to the best authenticator app
We’ve rounded up the best password managers

Sead Fadilpašić

Social Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Google urgently patches major Qualcomm security flaw hitting Android phones – so make sure you update now

A major security flaw in top eSIM system could put billions of devices at risk – here’s what we know

Got no signal? This devious cyberattack can downgrade your phone from 5G to 4G without you knowing

Massive leak of over 115 million US payment cards caused by Chinese “smishing” hackers – find out if you’re affected

Another top vibe coding platform has some worrying security flaws – here’s what we know

Google Messages is getting a new weapon to keep you safe from impersonation scams – here’s how it works

Latest in Security

Jaguar Land Rover facing costs of “millions per week” following cyberattack – due to a lack of insurance cover

Under the radar – Google warns new Brickstorm malware was stealing data from US firms for over a year

Cisco warns zero-day vulnerability exploited in attacks on IOS software

Experts warn Supermicro motherboards can be infected with “unremovable” new malware – here’s what we know

Python developers targeted with new password-stealing phishing attacks – here’s how to stay safe

Libraseva urges users to patch now as it issues emergency fix following attacks

Latest in News

ChatGPT’s new Pulse feature will help you manage your day with handy visual updates

Sony unleashes another limited edition DualSense with the God of War 20th Anniversary model – and pre-orders start soon

The Last of Us star Troy Baker is headed for MCM London Comic Con for a special ‘Songs: for Joel’ live performance

Sam Altman’s vision for AI is huge – but there’s just one thing standing in his way

Microsoft Flight Simulator 2024 is flying onto PS5 in December, with PSVR 2 support coming in 2026

PlayStation reveals Pulse Elevate speakers designed for PS5 and PC – and they have a pretty weird feature set

LATEST ARTICLES

GoPro Max 2 vs Insta360 X5: which is the new 360 camera king?

This drawing tablet has become my absolute favorite – and the reason is this one simple feature

ChatGPT’s new Pulse feature will help you manage your day with handy visual updates

Huawei is quietly positioning its OS as an Android and Windows rival with launch of a HarmonyOS smart cash register in China

Under the radar – Google warns new Brickstorm malware was stealing data from US firms for over a year

TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

Contact Future’s experts

Terms and conditions

Privacy policy

Cookies policy

Advertise with us

Web notifications

Accessibility Statement

Future US, Inc. Full 7th Floor, 130 West 42nd Street,

Please login or signup to comment

Please wait…