CVE-2025-10184: OnePlus OxygenOS Telephony provider permission bypass (NOT FIXED)
Rapid7, Monday, September 22nd, 2025
Rapid7 has identified a permission bypass vulnerability in multiple versions of OnePlus OxygenOS installed on its Android smartphones, across multiple devices.
It is expected that a wider range of devices than those tested are affected. When leveraged, the vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider (the package com.android.providers.telephony) without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks.