All news with #oxygenos tag

Unpatched OnePlus flaw exposes SMS data to rogue apps

🔒 Rapid7 disclosed an unpatched vulnerability in OnePlus's OxygenOS (CVE-2025-10184) that allows any installed app to access SMS content and metadata without SMS permissions. The fault arises from modified Telephony content providers whose manifests omit a required write permission and accept unsanitized input. By abusing a blind SQL-injection vector an attacker can infer SMS text one character at a time. OnePlus has acknowledged the report and is investigating; users should minimize installed apps and avoid SMS-based 2FA.