If you’re rocking a OnePlus phone, you might want to pay attention to this. Some rather worrying news has surfaced last week from the cybersecurity experts at Rapid7. They’ve uncovered a significant security flaw that could let a dodgy app get its hands on your SMS and MMS messages, all without asking for permission or even letting you know it’s happening.
The real kicker is that this happens completely in the background. You won’t get a prompt or any sort of alert that your messages are being read. As you can imagine, that’s a major problem for privacy. It could lead to your sensitive information being exposed and, perhaps more alarmingly, it completely undermines the security of any two-factor login that uses text messages for codes.
Rapid7 confirmed the vulnerability, which they’ve tracked as CVE-2025-10184, across a range of OnePlus models. It seems the issue first crept in with OxygenOS 12, as their tests on version 11 came up clean. They don’t believe it’s a hardware-specific problem, which means the potential impact is quite high, likely affecting any OnePlus device running the affected OS versions, not just the ones they tested.
Rapid7 first got in touch with OnePlus about this back in May and followed up several times before going public with their findings in late September. OnePlus responded a day later, acknowledging the report and confirming an investigation was underway.
The good news is that a fix is supposedly on the way. A OnePlus spokesperson has stated they have implemented a patch and will be rolling it out globally via a software update starting in mid-October.
In the meantime, it’s worth being extra cautious. Rapid7 recommends you only install apps from sources you trust and consider ditching any non-essential ones. If you use text messages for two-factor authentication, now would be an excellent time to switch to a proper authenticator app. Using a third-party chat app for your messaging could also help sidestep the issue.