CVE-2025-12080
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-27

Last updated on: 2025-10-27

Assigner: Google Inc.

Description
On Wear OS devices, when Google Messages is configured as the default SMS/MMS/RCS application, the handling of ACTION_SENDTO intents utilizing the sms:, smsto:, mms:, and mmsto: Uniform Resource Identifier (URI) schemes is incorrectly implemented. Due to this misconfiguration, an attacker capable of invoking an Android intent can exploit this vulnerability to send messages on the user’s behalf to arbitrary receivers without requiring any further user interaction or specific permissions. This allows for the silent and unauthorized transmission of messages from a compromised Wear OS device.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-27
Last Modified
2025-10-27
Generated
2026-05-06
AI Q&A
2025-10-27
EPSS Evaluated
2026-05-05
NVD
CVE-2025-12080
EUVD
EUVD-2025-36129
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
google messages *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-12080 is a vulnerability in Google Messages on Wear OS devices where the app incorrectly handles ACTION_SENDTO intents with sms:, smsto:, mms:, and mmsto: URI schemes. This misconfiguration allows any installed app to silently send SMS/MMS/RCS messages on behalf of the user without requiring permissions or user interaction. Essentially, an attacker can exploit this by triggering these intents, causing Google Messages to send messages automatically, violating the expected permission and confirmation model. [1]


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized and silent sending of messages from your Wear OS device without your consent. Attackers can exploit it to send messages to arbitrary recipients, potentially causing financial loss, privacy breaches, or spreading malicious content. Because no special permissions or user interaction are needed, the exploit is stealthy and difficult to detect, increasing the risk of unnoticed abuse. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability is challenging due to its stealthy nature and lack of required permissions. However, monitoring for unexpected outgoing SMS/MMS messages sent silently from Wear OS devices with Google Messages as the default app could indicate exploitation. On the device, one could check for apps issuing ACTION_SENDTO intents with sms:, smsto:, mms:, or mmsto: URI schemes. There are no specific commands provided for detection, but reviewing app behavior or logs for such intents or unusual message sending activity may help identify exploitation attempts. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include updating Google Messages on Wear OS devices to the fixed version released by May 2025. Until the update is applied, avoid installing untrusted apps that could exploit the intent handling flaw. Additionally, monitoring and restricting apps that can launch intents or send messages silently may reduce risk. If possible, temporarily changing the default SMS/MMS/RCS app from Google Messages to another app not affected by this vulnerability could also mitigate the issue. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart