OnePlus Acknowledges Critical SMS Vulnerability After Months of Unresponsiveness
OnePlus Acknowledges Critical SMS Vulnerability After Months of Unresponsiveness
- Why Enterprise RAID Rebuilding Succeeds Where Consumer Arrays Fail?
- Linus Torvalds Rejects MMC Subsystem Updates for Linux 7.0: “Complete Garbage”
- The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
- How Close Are Quantum Computers to Breaking RSA-2048?
- Why Windows 10 Users Are Flocking to Zorin OS 18 Instead of Linux Mint?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
OnePlus Acknowledges Critical SMS Vulnerability After Months of Unresponsiveness
Security researchers forced to publicly disclose flaw after company ignored repeated warnings for nearly five months
OnePlus has finally acknowledged the existence of a critical security vulnerability in its OxygenOS operating system after cybersecurity firm Rapid7 publicly disclosed the flaw following months of unsuccessful attempts to contact the company through official channels.
The Vulnerability Details
The security flaw, tracked as CVE-2025-10184, affects multiple OnePlus devices running OxygenOS versions 12 through 15. This vulnerability affects a wide range of OxygenOS versions and multiple OnePlus devices, and researchers consider the potential impact to be high. The issue stems from the fact that sensitive internal content providers are accessible without permission, and are vulnerable to SQL injection.
The vulnerability allows any installed app to access SMS data and metadata without requiring permission or user interaction. More alarmingly, the vulnerability operates silently — users receive no alerts when their messages are being accessed.
The flaw potentially compromises SMS-based multi-factor authentication (MFA) systems and exposes sensitive personal communications to unauthorized access. With a severity rating of 8.2, security experts consider this a high-risk vulnerability that could have serious implications for user privacy and security.
Timeline of Unresponsiveness
What makes this situation particularly concerning is OnePlus’s prolonged silence when researchers attempted to report the vulnerability through proper channels. According to the Chinese technology publication that first reported on the company’s response, security researchers began attempting to contact OnePlus on May 1, 2025, using multiple communication channels to report the security flaw.
For nearly five months, these attempts went unanswered, forcing Rapid7 to take the unusual step of publicly disclosing the vulnerability before a patch was available. This approach, known as “full disclosure,” is typically considered a last resort in the cybersecurity community, as it can potentially expose users to exploitation before fixes are implemented.
Industry Standards vs. OnePlus’s Response
The standard practice in the cybersecurity industry involves responsible disclosure, where researchers privately notify companies about vulnerabilities and allow reasonable time for patches to be developed before making the details public. This coordinated approach helps protect users while ensuring that security flaws are addressed promptly.
OnePlus’s failure to respond to repeated warnings represents a significant departure from these established protocols. Only after Rapid7 made the vulnerability public did OnePlus finally acknowledge the issue and commit to investigating it.
Current Impact and Scope
Initial testing by users and security researchers suggests that the vulnerability may extend beyond the international OxygenOS to potentially affect ColorOS, the operating system used by OnePlus devices in the Chinese market. This could significantly expand the number of affected users worldwide.
The flaw has persisted since late 2021, meaning millions of OnePlus users may have been unknowingly vulnerable to SMS interception for years.
Company’s Belated Response
Following the public disclosure, OnePlus has finally contacted Rapid7 to confirm the existence of the vulnerability. However, the company’s response remains limited, with no timeline provided for a fix, no detailed explanation of which specific device models and OS versions are affected, and crucially, no explanation for why the company ignored security researchers’ warnings for months.
The lack of transparency regarding the company’s response timeline raises additional concerns about OnePlus’s commitment to user security and proper vulnerability management procedures.
Looking Forward
This incident highlights broader issues with how some technology companies handle security vulnerability reports. The months-long delay in acknowledging a critical flaw that potentially affects millions of users worldwide demonstrates a concerning gap in corporate security response protocols.
For OnePlus users, the immediate recommendation is to be cautious about which applications they install and to monitor for official security updates from the company. Until a patch is released, users remain vulnerable to potential SMS interception by malicious applications.
The case serves as a stark reminder of the importance of responsive security practices in an era where mobile devices store increasingly sensitive personal and financial information. As the investigation continues, the technology community will be watching closely to see how OnePlus addresses both the technical vulnerability and the procedural failures that allowed this situation to escalate to public disclosure.
