With smartphones continuously expanding, OnePlus has long been recognised as one of the leading brands in the market, delivering premium performance at an affordable price point and building a loyal user base within the competitive Android market for years.
The influx of cyber threats, however, does not make even the most admired devices immune to being compromised.
There has now been a critical security flaw discovered in OxygenOS, the proprietary OS that powers OnePlus smartphones, that is critical to security. This vulnerability, identified as CVE-2025-10184, is not specific to OnePlus but has been found in other Android devices as well.
It is believed that millions of users could be compromised by spying and data theft.
A key concern in this case is that this bug remains unpatched on OnePlus devices, according to Rapid7 researcher Calum Hutton. As a result of this, a large portion of users are vulnerable to exploitation by malicious actors. Researchers have warned that OxygenOS can be exploited in a particularly damaging manner.
Attackers would be able to send SMS messages to a victim's device without knowing they were being sent and, more importantly, intercept and read incoming messages.
It is possible that SMS can pose a security threat to sensitive data, such as one-time passcodes and multi-factor authentication tokens, if SMS is used as the second layer of verification.
Security firm Rapid7 says that the flaw is located in the OxygenOS Telephony content provider, affecting OxygenOS versions 12-15.
It has been suggested that the vulnerability has been quietly present in OnePlus devices for the past four years, leaving users unknowingly exposed to an invasive and sophisticated attack vector.
A number of recent models are already believed to be affected by the vulnerability, including the OnePlus 8T running OxygenOS 12 as well as the OnePlus 10 Pro running OxygenOS 14 and 15, with researchers warning that other recent models are also likely to suffer from it.
OxygenOS 11 appears to be unaffected by the flaw, but it appears to have been discovered in subsequent versions, causing concerns for a large number of smartphones that are relatively new.
In addition, the issue has an important impact on how SMS messages are handled, putting the majority of modern OnePlus smartphones at risk, despite the fact that OnePlus has not been able to resolve the issue as quickly as possible.
The problem was first reported by Rapid7 in May 2025 and followed up repeatedly, but the company did not acknowledge it for months before acknowledging it after the research was published and a proof-of-concept had been demonstrated.
The company has confirmed that OnePlus has developed a patch, which will start rolling out in mid-October, to eliminate the SMS permission bypass problem.
While the situation continues, experts advise that users should exercise caution by installing apps only from trusted sources, removing unused or suspicious applications, and avoiding SMS-based authentication whenever possible, as these methods are less secure than those with hardware security keys or authenticator apps.
It was discovered that OxygenOS has a flaw that was attributed to security researcher Calum Hutton and disclosed under Rapid7's coordinated vulnerability disclosure policy. OxygenOS deals with Android's content providers, which are fundamental components of how applications access and share data with each other.
Basically, content providers serve as a structured gateway that lets apps query, insert, update, and delete information residing in databases and files through a standardised API, thus acting as a structured gateway.
AndroidManifest.xml files are used by developers to regulate this process, typically separating read from write permissions, so external applications are only able to perform the operations they have explicitly been granted permission to perform.
A permission is tied to a content URI, which is a URI that follows the content:// scheme and that maps to a specific authority or a specific database path, such as a user dictionary or a message table, and that maps to those authorities.
A framework like this is a great example of a balance between flexibility and security, allowing developers to expose data with a controlled level of privacy and security.
There are instances, however, where permissions are misconfigured or left undefined, allowing malicious applications to gain unauthorised access, as was the case with this OxygenOS vulnerability.
As a result of this oversight, attackers are effectively bypassing the intended safeguards, giving attackers access to manipulate or intercept the user's sensitive SMS data without the user's knowledge, which exposes millions of devices to hacking attempts.
The researchers initially attempted to resolve the issue through OnePlus's public bug bounty program, but their attempts to do so failed due to restrictive nondisclosure terms.
The vulnerability was first acknowledged by OnePlus on September 24, and the company has confirmed that an internal investigation is ongoing, but the company has not yet announced a definitive timeframe for the release of a security patch.
As the patch hasn't been released, users remain at risk of becoming a victim, so precautionary measures should be taken.
In order to minimise the risk of exploitation, experts recommend installing apps from trusted sources only, uninstalling useless applications, and closely monitoring permission requests. Moreover, SMS-based multi-factor authentication should be replaced by more secure alternatives such as authenticator apps or hardware keys, and sensitive communications should be transferred to end-to-end encrypted platforms like WhatsApp or Telegram in order to ensure maximum security.
It is also advised that organisations entrusted with managing mobile fleets perform audits on devices that may allow unusual SMS access and enforce strict permission policies on those devices. In light of the latest vulnerability, now categorised as CVE-2025-10184 and having a severity score of 8.2 out of 10, users of modern OnePlus devices are put at an increased risk.
Although the OnePlus smartphone has established itself as a flagship smartphone from Oppo, it has been regarded by many users as offering quality smartphones at competitive prices.
However, this incident demonstrates how even well-reputed brands can leave their customers exposed if they fail to fix critical security vulnerabilities. The episode serves as a timely reminder of the challenges that smartphone users continue to face in a rapidly evolving digital landscape as the investigation continues and OnePlus works towards delivering a permanent solution.
In light of vulnerabilities of this size, it is necessary not only for manufacturers but also for consumers to be vigilant when handling personal, financial and professional information through these devices. Even though software patches remain the ultimate protection, users can significantly reduce their exposure by practising disciplined digital hygiene—updating apps regularly, checking permissions before granting access to sensitive data, and minimising the use of SMS for sensitive transactions.
Especially businesses and IT administrators stand to benefit from effective mobile device management strategies, ensuring that company-issued devices are regularly audited for unusual activity and guided by clear security policies that ensure the devices remain safe and secure.
In addition to reducing immediate risks, these practices also contribute to cultivating a culture of resilience, in which users are empowered to take an active role in protecting their data instead of passively relying on vendors to safeguard it. It is evident, however, that proactive caution is not just a temporary workaround, but a long-term investment in cybersecurity and peace of mind that OnePlus owners need to take note of.