Critical Analysis: OnePlus OxygenOS SMS Vulnerability (CVE-2025-10184) and Implications for Mobile Security

The recent disclosure of CVE-2025-10184 highlights a significant vulnerability in OnePlus OxygenOS 12+ that allows unprivileged applications to access SMS and MMS messages via SQL injection through custom ContentProviders. This issue was brought to light by Rapid7 after nine unsuccessful attempts to notify OnePlus, raising concerns about the vendor's responsiveness to security issues. Technically, the vulnerability stems from the public exportation of ContentProviders and the absence of permission checks. ContentProviders in Android are designed to manage access to structured data, and when exported, they become accessible to other applications on the device. The lack of proper permission checks exacerbates the issue, allowing any application to potentially read sensitive SMS/MMS data. The implications of this vulnerability are far-reaching. Privacy is a major concern, as SMS/MMS messages often contain sensitive information such as two-factor authentication codes and personal communications. For enterprises, this vulnerability poses a supply chain risk, as compromised devices could lead to unauthorized access to corporate data. The broader impact on the cybersecurity landscape includes eroded trust in mobile device manufacturers and their commitment to security. From an expert perspective, this situation underscores the importance of responsible disclosure and vendor responsiveness. Rapid7's actions in this case align with best practices in vulnerability disclosure. The design choices in OnePlus OxygenOS, particularly the public exportation of ContentProviders and lack of permission checks, suggest either negligence or intentional design flaws. Without further context, it is challenging to determine the intent behind these choices, but the outcome is clear: a significant security risk for users. For cybersecurity professionals, the actionable intelligence from this disclosure includes recommending caution in app installation for users, advocating for secure coding practices among developers, and considering additional security measures for enterprises using OnePlus devices. Developers should ensure that ContentProviders are not exported unless absolutely necessary and that proper permission checks are in place to prevent unauthorized access. In conclusion, CVE-2025-10184 represents a critical vulnerability in OnePlus OxygenOS that demands immediate attention. The lack of response from OnePlus highlights the need for improved vendor accountability and responsiveness in addressing security issues. Cybersecurity professionals must remain vigilant and proactive in mitigating such risks to protect user privacy and enterprise security.