Security Researchers Identify Critical Vulnerability in OnePlus OxygenOS
Overview of the Issue
Recent investigations by security experts at Rapid7 have uncovered a significant vulnerability affecting a number of OnePlus smartphones utilizing the OxygenOS operating system. This particular flaw is classified as a permission bypass vulnerability and has the potential to expose sensitive information, specifically SMS data, to unauthorized access.
Details of the Vulnerability
The flaw, known by the identifier CVE-2025-10184, has been traced to several versions of OxygenOS running on devices like the OnePlus 8T and OnePlus 10 Pro 5G. The issue appears to stem from certain configurations in OxygenOS versions 12 through 15, as earlier versions, such as OxygenOS 11, do not exhibit this vulnerability. Rapid7 indicated that this weakness is not related to the hardware itself but rather a software oversight.
Difficulty in Coordination for Disclosure
Despite the seriousness of the issue, Rapid7 has faced challenges when attempting to communicate with OnePlus about the vulnerability. The company indicated that OnePlus’s bug bounty program has restrictive terms that hindered effective communication. In a blog post dated September 23, Rapid7 stated, “While OnePlus does advertise a public bug bounty program for reporting vulnerabilities, we cannot engage with their program due to its restrictive non-disclosure agreement (NDA) terms and conditions." Because of this lack of response, Rapid7 felt compelled to disclose the vulnerability publicly.
Potential Risks and Implications
The nature of this vulnerability allows malicious actors to bypass crucial Android permissions, which could ultimately enable the extraction of SMS data without the user’s knowledge or consent. Rapid7 emphasized that vulnerabilities of this nature are particularly concerning to governments and other organizations interested in surveillance, potentially enabling state-sponsored actors to monitor individuals or to suppress dissent.
Attempts to Contact OnePlus
Rapid7 first reached out to OnePlus’s Security Response Center in May, but subsequent efforts to engage with the company did not yield replies. Even their additional communications in July and August to both OnePlus and its parent company OPPO resulted in silence. Ultimately, Rapid7 deemed OnePlus a “non-responsive vendor,” prompting the public disclosure of CVE-2025-10184.
Conclusion: Industry Impact
Security vulnerabilities in widely-used smartphone operating systems like OxygenOS have far-reaching implications, particularly for users who maintain a level of trust in the protections offered by these devices. As technology continues to evolve, the importance of responsive security practices and effective disclosure processes becomes ever more critical. This incident serves as a reminder of the ongoing challenges faced in the realm of cybersecurity and the necessity for manufacturers to prioritize prompt user safety.
