CVE-2025-10184

Unknown Unknown - Not Provided

BaseFortify

Publication date: 2025-09-23

Last updated on: 2025-09-24

Assigner: Rapid7, Inc.

Description

The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2025-09-23

Last Modified

2025-09-24

Generated

2026-06-16

AI Q&A

2025-09-23

EPSS Evaluated

2026-06-15

NVD

CVE-2025-10184

EUVD

EUVD-2025-30892

Affected Vendors & Products

Vendor	Product	Version / Range
oneplus	oxygenos	15
oneplus	oxygenos	12
oneplus	oxygenos	14

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-862	The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-862

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2025-10184 is a critical vulnerability in OnePlus OxygenOS's Telephony provider that allows any installed application to read SMS/MMS data and metadata without requiring permission, user interaction, or notification. This happens because certain content providers lack proper write permissions and have a blind SQL injection vulnerability in their update method. Attackers can exploit this to silently access and manipulate SMS data, bypassing Android's READ_SMS permission enforcement and compromising SMS-based Multi-Factor Authentication (MFA). [1]

Impact Analysis

This vulnerability can lead to unauthorized and silent access to your SMS and MMS messages and metadata by any installed app, without your consent or knowledge. It can also allow modification of SMS data. This compromises your privacy and security, especially by breaking SMS-based Multi-Factor Authentication, increasing the risk of account takeovers. Additionally, it poses a high risk of exploitation by malicious actors, including state-sponsored attackers, for surveillance or political oppression. [1]

Detection Guidance

Detection of this vulnerability involves checking for unauthorized access or modification attempts to the Telephony provider's content providers, especially com.android.providers.telephony.PushMessageProvider, PushShopProvider, and ServiceNumberProvider. Since the vulnerability allows blind SQL injection via the update() method, monitoring for unusual update or insert operations on these providers could indicate exploitation attempts. Specific commands are not provided in the resources, but monitoring Android logs (logcat) for suspicious content provider access or using Android debugging tools to inspect which apps are accessing SMS/MMS data without READ_SMS permission could help detect exploitation. [1]

Mitigation Strategies

Immediate mitigation steps include restricting installation of untrusted applications on affected OnePlus devices running OxygenOS 12 and later, as the vulnerability allows any installed app to access SMS/MMS data without permission. Users should avoid installing apps from unknown sources and consider disabling or limiting permissions for apps that do not require SMS access. Since the vulnerability is unpatched, applying official updates when available is critical. Additionally, users relying on SMS-based MFA should consider alternative MFA methods until a patch is released. [1]

Hi! I’m here to help you understand CVE-2025-10184. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2025-10184

BaseFortify

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart