Your OnePlus phone is probably at risk from a major SMS vulnerability

The OnePlus 13R is conscionable 1 of galore caller OnePlus devices perchance astatine risk.

The bulk of OnePlus phones successful usage contiguous whitethorn beryllium susceptible to a information flaw that leaves SMS and MMS information exposed, and it won’t beryllium patched until mid-October. Only OnePlus phones inactive moving 2020’s OxygenOS 11 oregon earlier are believed to beryllium harmless from the flaw.

Security institution Rapid7 was first to observe the vulnerability, which relates to changes OnePlus made to the Telephony work wrong Android. The agelong and abbreviated of it is that it would let installed apps to entree SMS information “without permission, idiosyncratic interaction, oregon consent.” The institution recovered the flaw connected devices moving OxygenOS 12, 14, and 15, though reported that the older OxygenOS 11, based connected Android 11, is not vulnerable. While Rapid7 lone tested 2 types of hardware — the OnePlus 8T and 10 Pro 5G — it says the flaw “affects a halfway constituent of Android,” and truthful is improbable to beryllium hardware-specific.

OnePlus has admitted to the issue, but successful a connection fixed to 9to5Google by an unnamed spokesperson it says a hole won’t get until mid-October astatine the earliest.

We admit the caller disclosure of CVE-2025-10184 and person implemented a fix. This volition beryllium rolled retired globally via bundle update starting from mid-October. OnePlus remains committed to protecting lawsuit information and volition proceed to prioritize information improvements.

Rapid7 announced the find connected its blog connected Monday this week, but OnePlus didn’t respond until Wednesday. Rapid7 says it tried and failed to interaction OnePlus privately to sermon the problem, and lone turned to a nationalist disclosure aft besides ruling retired the company’s bug bounty programme due to the fact that of its “restrictive Non Disclosure Agreement.”

Until the flaw is patched, Rapid7 recommends that OnePlus instrumentality owners should lone instal apps from trusted sources, uninstall immoderate unnecessary ones, power to encrypted messaging apps, and usage authenticator apps alternatively than SMS-based two-factor authentication.