Back to News
Market Impact: 0.55

Rapid7: OnePlus phones vulnerable to SMS theft since 2021

RPD
Technology & InnovationCybersecurity & Data Privacy
Rapid7: OnePlus phones vulnerable to SMS theft since 2021

Rapid7 has publicly disclosed a critical Android bug (CVE-2025-10184, severity 8.2) affecting OnePlus phones running OxygenOS 12 and newer, which allows any application to silently read SMS/MMS data without user interaction, potentially bypassing SMS-based multi-factor authentication. OnePlus was initially unresponsive to Rapid7's repeated attempts to disclose and remediate the flaw, leading to public disclosure, though the company has since committed to rolling out a global software fix starting mid-October. This vulnerability highlights significant cybersecurity risks for users and enterprises relying on SMS-based authentication, with potential broader implications for other Android OEMs given the flaw's origin in a core Android component.

Analysis

Cybersecurity firm Rapid7 (RPD) has publicly disclosed a critical vulnerability (CVE-2025-10184, severity 8.2) affecting OnePlus smartphones running OxygenOS 12 and newer, a flaw present since late 2021. The bug allows any application, without user interaction or special permissions, to access SMS/MMS data, creating a significant risk of bypassing SMS-based multi-factor authentication and exposing sensitive communications. The incident highlights a severe lapse in OnePlus's security response protocol, as the company was reportedly non-responsive to Rapid7's private disclosure attempts from May 1 until the public announcement. While OnePlus has since committed to a software fix by mid-October, the initial failure and delayed acknowledgment present a material reputational risk. For Rapid7, this event serves as a strong validation of its threat intelligence capabilities, reflected in its positive per-ticker sentiment score of 0.7, by successfully identifying a critical flaw and compelling a major vendor to act. The disclosure also raises broader concerns, as the vulnerability is believed to stem from a core Android component, suggesting potential un-disclosed risk across other device manufacturers.

AllMind AI Terminal

AI-powered research, real-time alerts, and portfolio analytics for institutional investors.

Request a Demo

Market Sentiment

Overall Sentiment

moderately negative

Sentiment Score

-0.55

Ticker Sentiment

RPD0.70

Key Decisions for Investors

  • Investors in Rapid7 (RPD) should view this disclosure as a positive indicator of the company's technical expertise and industry influence, which reinforces its brand credibility and may serve as a long-term driver for its threat intelligence and security services business.
  • For investors with exposure to OnePlus or its parent company, this incident represents a significant operational and reputational red flag; monitor for any impact on device sales, customer trust, and potential regulatory scrutiny related to its security handling processes.
  • The vulnerability's potential origin in a core Android component underscores systemic risk in the mobile ecosystem, suggesting a strategic tilt towards cybersecurity firms that mitigate these threats and away from companies overly reliant on less secure SMS-based authentication methods.