OnePlus smartphones, known for their high-end features at competitive prices, are currently facing a significant security threat. A critical bug in OxygenOS, identified as part of the CVE-2025-10184 vulnerability, exposes users to potential spying and data theft. This flaw, which remains unpatched, enables attackers to access SMS and MMS messages without user consent, posing risks to millions of OnePlus devices globally.
The vulnerability, found in the messaging app, allows unauthorized access to sensitive data, bypassing Android’s core telephony and messaging permissions. This breach could be exploited by attackers, including state-sponsored groups, to target high-profile individuals such as politicians and activists. Furthermore, it could facilitate financial crimes, particularly against those using SMS-based two-factor authentication.
The issue affects software rather than hardware, with OxygenOS versions 12, 14, and 15 being vulnerable, impacting models like the OnePlus 8T and OnePlus 10 Pro 5G. OnePlus has acknowledged the flaw and is investigating, though no fix date has been announced.
To mitigate risks, users are advised to enable RCS for encrypted messaging and switch to app-based authentication. Avoiding apps from unverified sources and managing app permissions can also enhance security. Regular updates of devices and apps are crucial, and enabling Android’s Advanced Protection offers additional safeguards for those at higher risk.
