CVE-2025-10184
OnePlus OxygenOS Telephony provider permission bypass
Description
The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers.
INFO
Published Date :
Sept. 23, 2025, 1:15 p.m.
Last Modified :
Sept. 24, 2025, 6:11 p.m.
Remotely Exploit :
No
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 4.0 | HIGH | 9974b330-7714-4307-a722-5648477acda7 | ||||
| CVSS 4.0 | HIGH | [email protected] |
Solution
- Validate all input to the Telephony provider.
- Implement strict access controls for sensitive data.
- Apply necessary permission checks.
- Review and patch SQL injection vulnerabilities.
Public PoC/Exploit Available at Github
CVE-2025-10184 has a 11 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-10184.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-10184 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-10184
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
ColorOS 短信漏洞修补模块
OxygenOS Telephony provider permission bypass
Java
None
Java
ColorOS短信漏洞,以及用户自救方案
Java Kotlin
None
Java
CVE POC repo 자동 수집기
Python
Latest CVEs with their Proof of Concept exploits.
Python
None
TOP All bugbounty pentesting CVE-2023- POC Exp RCE example payload Things
bugbounty cve exp exploit payload poc rce vulnerability
Shell
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
security cve exploit poc vulnerability
🔍 Identify and analyze the CVE-2025-10184 vulnerability in ColorOS, affecting SMS data access in OPPO and its sub-brands.
android-security code-review coloros exploit incident-response mobile-os patch remediation risk-assessment security software-security technology threat-analysis vulnerability cve-2025-10184
Java Kotlin
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-10184 vulnerability anywhere in the article.
-
CybersecurityNews
Cybersecurity Newsletter Weekly – Chrome 0-Day, 22.2 Tbps DDOS Attack, Kali Linux Release, Cisco IOS 0-Day and More
This week in cybersecurity was marked by a relentless pace of critical disclosures and unprecedented attack volumes, underscoring the escalating challenges facing defenders. At the forefront was Googl ... Read more
-
The Hacker News
Threatsday Bulletin: Rootkit Patch, Federal Breach, OnePlus SMS Leak, TikTok Scandal & More
Welcome to this week's Threatsday Bulletin—your Thursday check-in on the latest twists and turns in cybersecurity and hacking.The digital threat landscape never stands still. One week it's a critical ... Read more
-
BleepingComputer
Unpatched flaw in OnePlus phones lets rogue apps text messages
A vulnerability in multiple versions of OxygenOS, the Android-based operating system from OnePlus, allows any installed app to access SMS data and metadata without requiring permission or user interac ... Read more
-
CybersecurityNews
OnePlus OxygenOS Vulnerability Allows Any App to Read SMS Data Without Permission
A severe security vulnerability in OnePlus OxygenOS has been discovered that allows any installed application to read SMS and MMS messages without requesting permission or notifying users. The flaw, d ... Read more
-
The Register
OnePlus leaves researchers on read over Android bug that exposes texts
Security researchers report that OnePlus smartphone users remain vulnerable to a critical bug that allows any application to read SMS and MMS data — a flaw that has persisted since late 2021. Rapid7 r ... Read more
The following table lists the changes that have been made to the
CVE-2025-10184 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Sep. 23, 2025
Action Type Old Value New Value Added Reference https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/bltd4b7439a28b6c866/68d168a6930d015d43a6b588/CVE-2025-10184_PoC.zip Added Reference https://www.rapid7.com/blog/post/cve-2025-10184-oneplus-oxygenos-telephony-provider-permission-bypass-not-fixed/ -
New CVE Received by [email protected]
Sep. 23, 2025
Action Type Old Value New Value Added Description The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers. Added CVSS V4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-89 Added CWE CWE-862 Added Reference https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/bltd4b7439a28b6c866/68d168a6930d015d43a6b588/CVE-2025-10184_PoC.zip Added Reference https://www.rapid7.com/blog/post/cve-2025-10184-oneplus-oxygenos-telephony-provider-permission-bypass-not-fixed/