Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2025-10184

UNKNOWN
Published Unknown
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2025-10184. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks.

The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

EU Vulnerability Database

Monitored by ENISA for EU cybersecurity

EU Coordination

EU Coordinated

Exploitation Status

No Known Exploitation

EUVD ID

View on ENISA

ENISA Analysis

Malicious code in bioql (PyPI)

Affected Products (ENISA)

oneplus
oxygenos

ENISA Scoring

CVSS Score (4.0)

8.2
/10
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

EPSS Score

0.070
probability

ENISA References

https://www.rapid7.com/blog/post/cve-2025-10184-oneplus-oxygenos-telephony-provider-permission-bypass-not-fixed/
https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/bltd4b7439a28b6c866/68d168a6930d015d43a6b588/CVE-2025-10184_PoC.zip
https://nvd.nist.gov/vuln/detail/CVE-2025-10184

Data provided by ENISA EU Vulnerability Database. Last updated: October 3, 2025

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed HIGH

GHSA-q9jj-p5hc-gfmj

Advisory Details

The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers.

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-10184
WEB https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/bltd4b7439a28b6c866/68d168a6930d015d43a6b588/CVE-2025-10184_PoC.zip
WEB https://www.rapid7.com/blog/post/cve-2025-10184-oneplus-oxygenos-telephony-provider-permission-bypass-not-fixed

Advisory provided by GitHub Security Advisory Database. Published: September 23, 2025, Modified: September 23, 2025

Social Media Intelligence

Real-time discussions and threat intelligence from social platforms

9 posts
Reddit 3 days, 2 hours ago
GaseousBeaver
Exploit PoC

CVE-2025-10184 Analysis: OnePlus OxygenOS SMS vulnerability - Negligence or intentional design? **TL;DR:** OnePlus implemented three custom ContentProviders in OxygenOS 12+ that expose SMS/MMS data without proper permission enforcement. After technical analysis of the implementation, the design choices raise questions about intent vs. negligence. **Background:** Rapid7 disclosed CVE-2025-10184 last week - …

9
6
21.0
View Original High Risk
Reddit 3 days, 6 hours ago
GaseousBeaver
Exploit PoC

Is the OnePlus 12 (CPH2581_15.0.0.860/EX01V80P01) affected by the CVE-2025-10184 SMS vulnerability? Hey everyone, I just read about the major SMS vulnerability (CVE-2025-10184) that was recently disclosed affecting OxygenOS 12+ devices. According to the security research from Rapid7, this vulnerability allows malicious apps to access SMS/MMS messages without user permission, which …

4
3
10.0
View Original High Risk
Reddit 4 days ago
Mobile-Progress2433

ColorOS(6.0.1-current)/OxygenOS (12-15)/RealmeUI vulnerability Any app can read SMS data without user permission in this vulnerability. Read this: https://github.com/yuuouu/ColorOS-CVE-2025-10184

4
1
6.0
View Original
Reddit 4 days ago
Mobile-Progress2433

ColorOS(6.0.1-current)/OxygenOS(12-15)/RealmeUI vulnerability Any app can read SMS data without user permission in this vulnerability. Read this: https://github.com/yuuouu/ColorOS-CVE-2025-10184

1
1.0
View Original
Reddit 4 days ago
Mobile-Progress2433

ColorOS(6.0-current)/OxygenOS(12-15)/RealmeUI SMS vulnerability Any app can read SMS data without user permission in this vulnerability. Read this: https://github.com/yuuouu/ColorOS-CVE-2025-10184

16
8
32.0
View Original
Reddit 1 week, 2 days ago
crstux
Exploit PoC

🔥 Top 10 Trending CVEs (29/09/2025) Here’s a quick breakdown of the 10 most interesting vulnerabilities trending today: **1. [CVE-2025-24085](https://nvd.nist.gov/vuln/detail/CVE-2025-24085)** - 📝 A use after free issue was addressed with improved memory management. This issue is fixed in visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, …

Also mentions: CVE-2025-21043 CVE-2025-55177 CVE-2025-43300 CVE-2025-8088 CVE-2025-24085 CVE-2024-36401
1
1.0
View Original High Risk
Reddit 1 week, 3 days ago
Suspicious_Bug4112

OnePlus smartphones vulnerable to SMS hacking risks **Date:** 27-Sep-25 A critical security vulnerability affecting OnePlus smartphones running OxygenOS versions 12 to 15 has been identified, allowing malicious apps to read and send SMS messages without user permission. Tracked as CVE-2025-10184, this flaw risks exposing sensitive information, including two-factor authentication codes, …

1
1.0
View Original
Reddit 1 week, 5 days ago
crstux
Exploit

🔥 Top 10 Trending CVEs (26/09/2025) Here’s a quick breakdown of the 10 most interesting vulnerabilities trending today: **1. [CVE-2025-20333](https://nvd.nist.gov/vuln/detail/CVE-2025-20333)** - 📝 A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, …

Also mentions: CVE-2025-10585 CVE-2025-20352 CVE-2025-26399 CVE-2024-28988 CVE-2025-6198 CVE-2025-7937 CVE-2025-10035 CVE-2025-51591 CVE-2024-28986
2
2.0
View Original High Risk
Reddit 1 week, 5 days ago
Planhub-ca
Exploit

A major security flaw in OnePlus phones could let rogue apps read and send SMS messages, potentially exposing your 2FA codes Researchers from Rapid7 uncovered a permission bypass bug (CVE-2025-10184) in multiple OxygenOS versions that allows any installed app to read SMS/MMS data and metadata without needing permission. It also …

1
1
3.0
View Original High Risk
Published: Unknown
Last Modified: Unknown
Copied to clipboard!