CVE-2025-10184 is a high-severity vulnerability affecting OnePlus OxygenOS versions 12 through 15. The core issue is a missing authorization control (CWE-862) in several system content providers related to telephony services, specifically com.android.providers.telephony.PushMessageProvider, PushShopProvider, and ServiceNumberProvider. This flaw allows any application installed on the device to read SMS and MMS data and metadata without requiring any permissions, user interaction, or consent. Additionally, the user is not notified when SMS data is accessed, which significantly undermines user privacy and security. The vulnerability also involves a blind SQL injection (CWE-89) in the update methods of these providers, potentially allowing unauthorized modification of telephony data. The combination of these weaknesses means that malicious apps can silently exfiltrate sensitive SMS/MMS content, including one-time passwords or MFA codes sent via SMS, effectively bypassing SMS-based multi-factor authentication protections. The CVSS 4.0 score of 8.2 reflects the high impact on confidentiality and the relatively low complexity of exploitation, as no privileges or user interaction are required. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the sensitive nature of SMS data and the widespread use of SMS for authentication and communication on affected devices.

For European organizations, this vulnerability presents a substantial risk to both individual users and enterprise security. Many employees use OnePlus devices running OxygenOS, and the ability for any installed app to access SMS/MMS data without authorization could lead to leakage of sensitive corporate information, including MFA tokens, confidential communications, and personal data. This could facilitate account takeovers, unauthorized access to corporate networks, and data breaches. The silent nature of the data access means users and IT security teams may not detect the compromise promptly. Furthermore, organizations relying on SMS-based MFA for securing access to critical systems may find this second factor effectively nullified, increasing the likelihood of successful phishing or credential stuffing attacks. The blind SQL injection component could also be exploited to alter telephony data, potentially disrupting communication services or enabling further privilege escalation. Given the GDPR regulations in Europe, such data breaches could lead to significant legal and financial penalties if personal data is exposed.

Specific mitigation steps include: 1) Immediate update of all OnePlus OxygenOS devices to patched versions once available from the vendor, as no patches are currently linked. 2) Until patches are released, organizations should restrict installation of untrusted or third-party applications on corporate OnePlus devices through Mobile Device Management (MDM) solutions to reduce exposure. 3) Disable or limit SMS-based MFA where possible, replacing it with more secure authentication methods such as hardware tokens or authenticator apps. 4) Monitor telephony-related logs and network traffic for unusual access patterns or data exfiltration attempts. 5) Implement application whitelisting and runtime application self-protection (RASP) to detect and prevent unauthorized access to sensitive content providers. 6) Educate users about the risks of installing unknown apps and encourage prompt reporting of suspicious device behavior. 7) For organizations managing their own device fleets, consider temporarily restricting the use of vulnerable OxygenOS versions until patches are deployed.