CVE-2025-12080 is a vulnerability in Google Wear OS devices that arises when Google Messages is configured as the default SMS/MMS/RCS application. The issue stems from improper implementation of the handling of ACTION_SENDTO intents that use sms:, smsto:, mms:, and mmsto: URI schemes. Specifically, the system fails to sufficiently verify the authenticity of data within these intents, classified under CWE-345 (Insufficient Verification of Data Authenticity). An attacker capable of invoking Android intents on the device can exploit this flaw to send SMS, MMS, or RCS messages on behalf of the user to arbitrary recipients without requiring any additional permissions or user interaction. This means that a malicious app or process with the ability to trigger intents can silently transmit messages, potentially leading to unauthorized communication, privacy violations, or abuse of messaging services. The vulnerability does not require privileges (PR:N) or authentication, but user interaction is required (UI:P) to initiate the intent, which somewhat limits exploitation vectors. The CVSS 4.0 score is 6.9 (medium), reflecting moderate impact primarily on integrity and confidentiality due to unauthorized message sending. No patches or known exploits are currently reported. The scope is limited to Wear OS devices with Google Messages as default, and the attack surface involves apps or processes capable of invoking intents. This vulnerability highlights a design weakness in intent handling and data authenticity verification on Wear OS platforms.

For European organizations, this vulnerability poses risks primarily related to unauthorized message transmission from Wear OS devices. Potential impacts include leakage of sensitive information via SMS/MMS/RCS, unauthorized communication that could be used for social engineering or phishing campaigns, and reputational damage if devices are used to send spam or malicious messages. Enterprises relying on Wear OS devices for communication may face operational disruptions or compliance issues if unauthorized messages are sent. The silent nature of the exploit increases the risk of unnoticed abuse. Although the vulnerability requires the attacker to invoke intents, which may limit remote exploitation, insider threats or malicious apps could leverage this flaw. The impact on confidentiality and integrity is significant, while availability is less affected. Organizations with Bring Your Own Device (BYOD) policies involving Wear OS devices are particularly at risk. Given the medium severity, the threat should be addressed promptly to prevent escalation or chaining with other vulnerabilities.

To mitigate this vulnerability, organizations should: 1) Restrict installation of untrusted or unnecessary apps on Wear OS devices to reduce the risk of malicious intent invocation. 2) Implement strict app vetting and permissions management, ensuring only trusted apps can invoke sensitive intents. 3) Monitor messaging activity on Wear OS devices for unusual patterns or spikes in outbound messages that could indicate exploitation. 4) Educate users about the risks of installing unknown apps or granting excessive permissions. 5) Deploy Mobile Device Management (MDM) solutions that can enforce security policies and restrict intent invocation where possible. 6) Stay alert for official patches or updates from Google and apply them promptly once available. 7) Consider disabling Google Messages as the default messaging app on Wear OS devices if feasible, or use alternative messaging apps with better intent handling security. 8) Conduct regular security audits of Wear OS devices within the organization to detect potential misuse. These measures go beyond generic advice by focusing on controlling intent invocation and monitoring messaging behavior specific to this vulnerability.