If you own a OnePlus smartphone running OxygenOS 12, 14, or 15, there's a major security issue you should know about.

Cybersecurity company Rapid7 recently discovered a serious vulnerability in these versions of OxygenOS. The flaw allows certain apps to read your SMS and MMS messages without your permission or even notifying you. This means sensitive data—including texts used in SMS-based multi-factor authentication (MFA)—could be exposed to attackers without your knowledge.

The issue affects models like the OnePlus 8T and OnePlus 10 Pro 5G, and possibly more devices running the same OS versions. Importantly, OxygenOS 11 doesn't seem to have this flaw, so the problem likely started with OxygenOS 12.

The bug, tracked under CVE-2025-10184, is not limited to a specific device. It seems tied to core Android components within OnePlus’s software, making its impact more widespread.

Timeline of the Discovery

Rapid7 first reached out to OnePlus on May 1, 2025, and followed up several times. However, OnePlus didn’t publicly respond until September 24, a day after the findings were made public. They confirmed they’re investigating and later announced a fix will be released sometime in mid-October.

What You Can Do Until the Fix Arrives

To stay safe until the update rolls out, here’s what Rapid7 recommends:

Only install apps from trusted sources. Remove unnecessary apps to reduce risks.
Avoid using SMS-based authentication. Switch to apps like Google Authenticator or Microsoft Authenticator.
Use encrypted messaging apps instead of regular SMS to protect your conversations.
Switch to in-app notifications instead of receiving sensitive alerts via SMS when possible.

Affected Devices (Confirmed)

Device	OS Version	Build Number
OnePlus 8T	12	KB2003_11_C.33
OnePlus 10 Pro 5G	14	NE2213_14.0.0.700(EX01)
OnePlus 10 Pro 5G	15	NE2213_15.0.0.502(EX01)
OnePlus 10 Pro 5G	15	NE2213_15.0.0.700(EX01)
OnePlus 10 Pro 5G	15	NE2213_15.0.0.901(EX01)

Although these are the only officially tested models, other devices using OxygenOS 12, 14, or 15 might also be at risk.

OnePlus Response

OnePlus has acknowledged the flaw and says a software update containing a fix will begin rolling out globally from mid-October. They added that user safety is a top priority and they are committed to improving device security.