CVE-2025-10184 (GCVE-0-2025-10184)
Vulnerability from cvelistv5
Published
2025-09-23 13:02
Modified
2025-09-23 13:26
Severity ?
8.2 (High) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
CWE
  • CWE-862 - Missing Authorization
  • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers.
References
cve@rapid7.comhttps://assets.contentstack.io/v3/assets/blte4f029e766e6b253/bltd4b7439a28b6c866/68d168a6930d015d43a6b588/CVE-2025-10184_PoC.zip
cve@rapid7.comhttps://www.rapid7.com/blog/post/cve-2025-10184-oneplus-oxygenos-telephony-provider-permission-bypass-not-fixed/
134c704f-9b21-4f2e-91b3-4a467353bcc0https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/bltd4b7439a28b6c866/68d168a6930d015d43a6b588/CVE-2025-10184_PoC.zip
134c704f-9b21-4f2e-91b3-4a467353bcc0https://www.rapid7.com/blog/post/cve-2025-10184-oneplus-oxygenos-telephony-provider-permission-bypass-not-fixed/
Impacted products
Vendor Product Version
OnePlus OxygenOS Version: 12.*   
Version: 13.*   
Version: 14.*   
Version: 15.*
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-10184",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-23T13:26:53.144445Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-23T13:26:55.804Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://www.rapid7.com/blog/post/cve-2025-10184-oneplus-oxygenos-telephony-provider-permission-bypass-not-fixed/"
          },
          {
            "tags": [
              "exploit"
            ],
            "url": "https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/bltd4b7439a28b6c866/68d168a6930d015d43a6b588/CVE-2025-10184_PoC.zip"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "OxygenOS",
          "vendor": "OnePlus",
          "versions": [
            {
              "status": "unaffected",
              "version": "11.*",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "12.*",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "13.*",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "14.*",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "15.*"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Calum Hutton"
        }
      ],
      "datePublic": "2025-09-23T13:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. \u003cbr\u003e\u003cbr\u003eThe root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the\u0026nbsp;update method of those providers."
            }
          ],
          "value": "The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. \n\nThe root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the\u00a0update method of those providers."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-23T13:02:47.366Z",
        "orgId": "9974b330-7714-4307-a722-5648477acda7",
        "shortName": "rapid7"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory",
            "technical-description"
          ],
          "url": "https://www.rapid7.com/blog/post/cve-2025-10184-oneplus-oxygenos-telephony-provider-permission-bypass-not-fixed/"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/bltd4b7439a28b6c866/68d168a6930d015d43a6b588/CVE-2025-10184_PoC.zip"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "OnePlus OxygenOS Telephony provider permission bypass",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
    "assignerShortName": "rapid7",
    "cveId": "CVE-2025-10184",
    "datePublished": "2025-09-23T13:02:47.366Z",
    "dateReserved": "2025-09-09T14:58:29.247Z",
    "dateUpdated": "2025-09-23T13:26:55.804Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-10184\",\"sourceIdentifier\":\"cve@rapid7.com\",\"published\":\"2025-09-23T13:15:27.770\",\"lastModified\":\"2025-09-24T18:11:24.520\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. \\n\\nThe root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the\u00a0update method of those providers.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cve@rapid7.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"cve@rapid7.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"},{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/bltd4b7439a28b6c866/68d168a6930d015d43a6b588/CVE-2025-10184_PoC.zip\",\"source\":\"cve@rapid7.com\"},{\"url\":\"https://www.rapid7.com/blog/post/cve-2025-10184-oneplus-oxygenos-telephony-provider-permission-bypass-not-fixed/\",\"source\":\"cve@rapid7.com\"},{\"url\":\"https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/bltd4b7439a28b6c866/68d168a6930d015d43a6b588/CVE-2025-10184_PoC.zip\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"},{\"url\":\"https://www.rapid7.com/blog/post/cve-2025-10184-oneplus-oxygenos-telephony-provider-permission-bypass-not-fixed/\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-10184\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-23T13:26:53.144445Z\"}}}], \"references\": [{\"url\": \"https://www.rapid7.com/blog/post/cve-2025-10184-oneplus-oxygenos-telephony-provider-permission-bypass-not-fixed/\", \"tags\": [\"exploit\"]}, {\"url\": \"https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/bltd4b7439a28b6c866/68d168a6930d015d43a6b588/CVE-2025-10184_PoC.zip\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-23T13:26:42.610Z\"}}], \"cna\": {\"title\": \"OnePlus OxygenOS Telephony provider permission bypass\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Calum Hutton\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 8.2, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"OnePlus\", \"product\": \"OxygenOS\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"11.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"12.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"13.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"14.*\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"15.*\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2025-09-23T13:00:00.000Z\", \"references\": [{\"url\": \"https://www.rapid7.com/blog/post/cve-2025-10184-oneplus-oxygenos-telephony-provider-permission-bypass-not-fixed/\", \"tags\": [\"third-party-advisory\", \"technical-description\"]}, {\"url\": \"https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/bltd4b7439a28b6c866/68d168a6930d015d43a6b588/CVE-2025-10184_PoC.zip\", \"tags\": [\"exploit\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. \\n\\nThe root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the\\u00a0update method of those providers.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. \u003cbr\u003e\u003cbr\u003eThe root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the\u0026nbsp;update method of those providers.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862 Missing Authorization\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"9974b330-7714-4307-a722-5648477acda7\", \"shortName\": \"rapid7\", \"dateUpdated\": \"2025-09-23T13:02:47.366Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-10184\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-09-23T13:26:55.804Z\", \"dateReserved\": \"2025-09-09T14:58:29.247Z\", \"assignerOrgId\": \"9974b330-7714-4307-a722-5648477acda7\", \"datePublished\": \"2025-09-23T13:02:47.366Z\", \"assignerShortName\": \"rapid7\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.