This week, OnePlus customers received a concerning update that could have dangerous consequences for them. A security vulnerability that enables apps to directly access SMS messages on a phone running the OxygenOS version has been found by security specialists. The main concern is that OnePlus has not yet addressed the security flaws, which it hopes to do within the coming weeks.
In nations like India and even the US, experts have discovered problems with both the more recent and older versions of OxygenOS running on OnePlus phones.
OnePlus SMS Security Vulnerability: Important Information
According to Rapid7’s security findings, any app can readily read the contents of SMS stored on your OnePlus phone due to an OxygenOS weakness. Additionally, as everyone is aware, SMS is utilized for OTPs in order to make payments, purchase groceries via applications, and perform other private duties.
Therefore, the level of damage that may be caused by an app that has the ability to write SMS contents onto a device without the user’s consent is unthinkable. If the bad actors target the appropriate nerve points, you might easily lose access to your accounts or even the money in the bank. The user won’t even be aware if any app has seen the SMS content, including any or all of the two-factor authentication tokens required for digital account logins, because the bug works in a stealth manner.
According to the cybersecurity firm, these covert attacks can affect any OnePlus phone running OxygenOS 12 or later, including the 15 model based on Android 15. The following are the OnePlus phones that the agency mentioned:
Android 14 OnePlus 8T OnePlus 10 Pro 5G
Android 15 on a OnePlus 10 Pro 5G
However, given that even the OxygenOS 15 version is on the casualty list, the number of devices might be far longer. Thus, there may be a significant risk to gadgets like the OnePlus 12, OnePlus 13, and possibly the OnePlus Open foldable.
What the Company Has Said About the Security Risk of OnePlus SMS
Rapid7 contacted OnePlus on the problems and gave the company all the information. Additionally, OnePlus has acknowledged the security weakness and promised a global update to address it, albeit with a small delay.
We have applied a patch in response to the recent disclosure of CVE-2025-10184. Beginning in mid-October, this will be implemented internationally through software updates. According to a OnePlus spokeswoman cited by PCMag in its story, “OnePlus remains committed to protecting customer data and will continue to prioritize security improvements.”
OnePlus customers are advised to avoid installing apps, ignore emails from unfamiliar contacts, and use multi-authentication apps (rather than SMS) for logins until OxygenOS security flaws are resolved.
