Security researchers report that OnePlus smartphone users remain vulnerable to a critical bug that allows any application to read SMS and MMS data — a flaw that has persisted since late 2021.

Rapid7 revealed in a blog published today that multiple versions of OxygenOS contain this security flaw. Since OxygenOS 11 devices remain unaffected in their tests, researchers believe the vulnerability was introduced with OxygenOS 12, released on December 7, 2021.

Although Rapid7 only used OnePlus phones in its tests, it believes the issue extends to additional OEMs, given that the vulnerable component is within Android itself.

Tracked as CVE-2025-10184 with 8.2 severity rating, the researchers said: "The issue stems from the fact that sensitive internal content providers are accessible without pe

See Full Page