CVE-2025-12080 is a vulnerability identified in Google Wear OS devices when Google Messages is configured as the default SMS/MMS/RCS application. The issue stems from incorrect implementation in handling ACTION_SENDTO intents that use sms:, smsto:, mms:, and mmsto: URI schemes. Specifically, the system fails to properly verify the authenticity of data within these intents, classified under CWE-345 (Insufficient Verification of Data Authenticity). An attacker capable of invoking Android intents on the device can exploit this flaw to send SMS or MMS messages silently and without requiring any user interaction or special permissions. This means that if an attacker gains the ability to trigger intents—potentially through a compromised app or other means—they can cause the device to send messages to arbitrary recipients without the user's knowledge. The vulnerability does not require prior authentication or elevated privileges, and no user interface prompts are necessary, which increases the stealthiness of the attack. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the attack vector as adjacent network (AV:A), low attack complexity, no privileges required, but user interaction is required to initiate the intent invocation. The impact primarily affects message integrity and confidentiality, as unauthorized messages can be sent, potentially leading to information leakage, fraud, or social engineering attacks. Currently, there are no known exploits in the wild, and no official patches have been released. The vulnerability was published on October 27, 2025, and remains unpatched, requiring vigilance from users and administrators. This vulnerability highlights the risks associated with intent handling in Android-based wearable devices and the importance of strict verification of data authenticity in inter-process communication.

For European organizations, this vulnerability poses risks primarily to the confidentiality and integrity of communications on Wear OS devices. Unauthorized message sending can lead to data leakage, phishing, or social engineering attacks targeting employees or customers. Organizations relying on Wear OS devices for critical communications or two-factor authentication via SMS may face increased risk of account compromise or fraud. The silent nature of the exploit means users may remain unaware of the compromise, complicating incident detection and response. Additionally, misuse of messaging services could result in reputational damage or financial losses if attackers send fraudulent messages impersonating the organization. The impact is heightened in sectors with stringent data protection requirements, such as finance, healthcare, and government, where unauthorized message transmission could violate regulatory compliance. However, the requirement for the attacker to invoke intents on the device limits remote exploitation, suggesting that initial device compromise or physical access is likely needed. This reduces the broad impact but still represents a significant threat to endpoint security within organizations using Wear OS devices.

1. Restrict which applications can invoke intents on Wear OS devices by enforcing strict app permissions and intent filters, minimizing exposure to malicious apps capable of triggering ACTION_SENDTO intents. 2. Monitor device logs and messaging activity for unusual or unauthorized message sending patterns, enabling early detection of exploitation attempts. 3. Educate users about the risks of installing untrusted applications or granting excessive permissions that could facilitate intent invocation by attackers. 4. Implement endpoint protection solutions that can detect anomalous intent invocations or suspicious inter-process communications on Wear OS devices. 5. Apply security updates and patches promptly once Google releases a fix for this vulnerability. 6. Consider disabling or limiting the use of Google Messages as the default SMS/MMS/RCS app on Wear OS devices in high-risk environments until the vulnerability is addressed. 7. Use mobile device management (MDM) solutions to enforce security policies and restrict app installations and configurations on Wear OS devices within the organization. 8. For critical communications, use alternative secure messaging platforms that do not rely on vulnerable intent handling mechanisms.