CVE-2025-10184
BaseFortify
Publication date: 2025-09-23
Last updated on: 2025-09-24
Assigner: Rapid7, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oneplus | oxygenos | 15 |
| oneplus | oxygenos | 12 |
| oneplus | oxygenos | 14 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10184 is a critical vulnerability in OnePlus OxygenOS's Telephony provider that allows any installed application to read SMS/MMS data and metadata without requiring permission, user interaction, or notification. This happens because certain content providers lack proper write permissions and have a blind SQL injection vulnerability in their update method. Attackers can exploit this to silently access and manipulate SMS data, bypassing Android's READ_SMS permission enforcement and compromising SMS-based Multi-Factor Authentication (MFA). [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized and silent access to your SMS and MMS messages and metadata by any installed app, without your consent or knowledge. It can also allow modification of SMS data. This compromises your privacy and security, especially by breaking SMS-based Multi-Factor Authentication, increasing the risk of account takeovers. Additionally, it poses a high risk of exploitation by malicious actors, including state-sponsored attackers, for surveillance or political oppression. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for unauthorized access or modification attempts to the Telephony provider's content providers, especially com.android.providers.telephony.PushMessageProvider, PushShopProvider, and ServiceNumberProvider. Since the vulnerability allows blind SQL injection via the update() method, monitoring for unusual update or insert operations on these providers could indicate exploitation attempts. Specific commands are not provided in the resources, but monitoring Android logs (logcat) for suspicious content provider access or using Android debugging tools to inspect which apps are accessing SMS/MMS data without READ_SMS permission could help detect exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting installation of untrusted applications on affected OnePlus devices running OxygenOS 12 and later, as the vulnerability allows any installed app to access SMS/MMS data without permission. Users should avoid installing apps from unknown sources and consider disabling or limiting permissions for apps that do not require SMS access. Since the vulnerability is unpatched, applying official updates when available is critical. Additionally, users relying on SMS-based MFA should consider alternative MFA methods until a patch is released. [1]