If you are using a OnePlus smartphone running oxygenos 12, 14 or 15, we have news that should be relevant to you. Earlier this week, Cyber Security Pay FIRM Rapid 7 announced that the OnePlus smartphone running these oxygenos versions has a major security defect that could allow SMS and MMS data on your smartphone without permission, user interaction or consent.
Pay FirM also said that “the user has also notified that SMS data being is being cured, which can lead to” sensitive information “and effectively break the security provided by the SMS-based multi-factor authentication (MFA) check.”
Rapid 7 tested and confirmed vulnerability on various OnePlus smartphones and oxygen builds listed in the table below.
| Device / Model | Coalition | Oxygen version | Build number |
|---|---|---|---|
| OnePlus 8 T / KB 2003 | 3.4.135 | 12 | Kb2003_11_c.33 |
| OnePlus 10 Pro 5G / 2213 | 14.10.30 | 14 | NE2213_14.0.0.700 (EX01) |
| OnePlus 10 Pro 5G / 2213 | 15.30.5 | 15 | NE2213_15.0.0.502 (EX01) |
| OnePlus 10 Pro 5G / 2213 | 15.30.10 | 15 | NE2213_15.0.0.700 (EX01) |
| OnePlus 10 Pro 5G / 2213 | 15.40.0 | 15 | NE2213_15.0.0.901 (EX01) |
Cyber Security Pay FirM said that the weakness, which was tracked as CVE -20125-10184, was presented as part of oxygen 12, as versions of those tested oxygen 11 were not sensitive to the issue.
Moreover, when Rapid 7 said that this security defect “does not seem to” a hardware-specific problem, “its potential effect is considered high because it affects the main component of Android, and can be sensitive to oxygenos 12, 14, or 15 other than 8T or 10 Pro 5G.
OnePlus 10 Pro 5g
Rapid 7 contacted the OnePlus on May 1, 2025 to discuss the issue, and since then, on September 23, 2025, it reached the OnePlus and Oppo before announcing its findings in public. One day later, the OnePlus Rapid 7 reacted to the Pay FirM notification and investigating the Chinese brand.
OnePlus 8 t
OnePlus 10 Pro
OnePlus Rapid 7 didn’t tell what steps he would take; However, in a shared statement 9to5Google Later, a spokesman for a OnePlus said, “We accept the recent notification of CVE -20125-10184 and applied fix. Beginning from mid -October, the Software will be rolled globally through the Ftware Update. OnePlus is committed to protecting customer’s data and will continue to prefer security reforms.“
So, what can users on the affected OnePlus devices do until the middle of the October Chatber?
Rapid 7 people have advised users of the affected OnePlus device to take the following steps:
- Install applications only from trusted sources and remove all non-essential applications. This will limit the contact of the incredible applications that can bypass this permit to read SMS/MMS data.
- Review what the third-party services use SMS-based multi-factor authentication (MFA) and change those services instead use an authenticer application. This will limit the sensitive information sent to SMS on your device.
- For the extra privacy of text messages, users can use end-to-end encrypted messenger applications instead of SMS-based communication. This will limit the sensitive information sent to SMS on your device.
- Third-party services that send SMS based notifications are possible to change the pressure in the application. This will limit the sensitive information sent to SMS on your device.
You can click here to read the full ad via Rapid 7 for more details.
