Rapid7 researchers have disclosed a critical, unpatched vulnerability (CVE-2025-10184) in OnePlus's OxygenOS (versions 12-15) that enables any installed application to access SMS data and metadata without explicit user permission, leveraging blind SQL injection. This flaw, stemming from modifications to the Android Telephony package, presents significant privacy and security risks for users of OnePlus devices, a brand with official U.S. market presence. After initial non-responsiveness to disclosure attempts, OnePlus has acknowledged the issue and committed to rolling out a global software fix starting mid-October, highlighting potential reputational and security challenges for the Chinese OEM.
A critical, unpatched vulnerability (CVE-2025-10184) discovered by Rapid7 (RPD) in OnePlus's OxygenOS versions 12 through 15 presents a significant operational and reputational risk for the electronics maker. The flaw permits any installed application to access sensitive SMS data without user permission via a blind SQL injection, a consequence of OnePlus's custom modifications to the Android Telephony package. The company's failure to respond to seven private disclosure attempts from May to August underscores a severe weakness in its security incident response framework and corporate governance. Only after public disclosure did OnePlus acknowledge the issue, committing to a software fix by mid-October. This delayed reaction, coupled with user commentary referencing a history of security lapses, suggests a potential systemic issue with the company's security posture, which could erode consumer trust, particularly in the U.S. market where the brand has an official presence. For Rapid7, the discovery and disclosure process positively highlights its technical capabilities and reinforces its credibility within the cybersecurity industry.
AI-powered research, real-time alerts, and portfolio analytics for institutional investors.
Request a DemoOverall Sentiment
strongly negative
Sentiment Score
-0.70
Ticker Sentiment
