The vulnerability can let installed mobile apps access SMS/MMS data on a OnePlus phone without asking for user permission, creating a pathway to steal two-factor authentication codes.
After initially remaining silent, OnePlus is promising a patch for a software flaw that paves a way for third-party mobile apps to invade your privacy and even steal sensitive two-factor authentication codes.
The cybersecurity vendor Rapid7 disclosed the vulnerability on Monday, saying it had originally tried to reach out to OnePlus back in May about patching the flaw. But despite repeated emails and messages, Rapid7 said it had never received a response.
As a result, the flaw remains unpatched. The vulnerability, dubbed CVE-2025-10184, affects the Android-based OxygenOS, which is installed on OnePlus handsets. According to Rapid7, any installed mobile app can abuse the flaw to secretly access SMS/MMS and certain metadata on the phone “without permission, user interaction, or consent.
