OnePlus fans might want to take a deep breath, because your phone’s text messages may not be as private as you think. Security researchers at Rapid7 have uncovered a flaw in OxygenOS (versions 12 through 15), tracked as CVE-2025-10184, that lets apps read your SMS and MMS messages without asking for permission. Worse still, Rapid7 says OnePlus has been unresponsive to repeated disclosure attempts, forcing them to go public with the details.
And yes, that means those all-important one-time passwords (OTPs) and banking MFA codes you get via SMS could be read by a shady app sitting quietly in the background. Scary, right?
What’s going on?
Rapid7 explains that the bug is tied to OxygenOS’s handling of something called the Telephony provider, which is basically the bit of Android that manages text messages. On OnePlus devices running OxygenOS 12 and above, certain extra “doors” were left unlocked. Those doors can be abused through a trick called SQL injection, allowing apps to read your SMS database without you ever knowing.
In plain language: think of it like leaving your house keys under the doormat and then acting surprised when someone lets themselves in. Rapid7 even built a proof-of-concept app that doesn’t request any permissions but can still dump the last few text messages on a OnePlus phone.
Which OnePlus phones are affected?
Rapid7 confirmed the bug on the OnePlus 8T and OnePlus 10 Pro 5G devices across OxygenOS 12, 14, and 15 builds. Since this is a core OxygenOS issue, the researchers believe many other OnePlus models running those versions are also vulnerable. OxygenOS 11 (and older) devices don’t seem to have the problem.
In short, if your OnePlus phone got the Android 12, Android 13, Android 14 or Android 15 update, chances are you’re affected.
The frustrating part: OnePlus won’t talk
Here’s where things get messy. Rapid7 tried to do the responsible thing by contacting OnePlus and give them time to fix the issue. They emailed OnePlus multiple times since May 2025, pinged their bug bounty program, even reached out to OPPO (OnePlus’ parent company).
What did they get back? Crickets. Well, not entirely. OnePlus support once said they’d “escalate internally” but then never followed up. After months of silence, Rapid7 decided enough was enough and went public on September 22, 2025.
So as of now, the bug is still NOT FIXED.
What you should do right now
Until OnePlus gets its act together, here’s how you can protect yourself:
- Stick to trusted apps only. Don’t go downloading sketchy apps from random websites. Malicious apps could use this bug to snoop.
- Switch your MFA method. If your bank or email still sends you codes over SMS, change to an authenticator app like Google Authenticator, Authy, or built-in options from your service.
- Use encrypted messaging apps. WhatsApp, Signal, and Telegram all offer better protection than old-school SMS.
- Turn off SMS notifications where possible. Some services let you get in-app push notifications instead of texts, which is safer for now.
OnePlus users deserve better than radio silence on a bug that puts sensitive messages and security codes at risk for so many of them. Until the company acknowledges the bug and rolls out a patch, it’s up to you to be extra careful with what lands in your SMS inbox.
Discover more from Techish Kenya
Subscribe to get the latest posts sent to your email.
