If you are using a OnePlus smartphone, there is important news for you. A serious security flaw has been discovered in OxygenOS 12, 14, and 15, and many OnePlus phones are facing it. The flaw was revealed by cybersecurity firm Rapid7 earlier this week.

According to the report, the issue allows malicious apps to access your SMS and MMS data. This happens without asking for your permission. Even worse, you are not notified when your SMS data is being read.

Many OnePlus Phones Running OxygenOS Have a Major SMS Security Flaw, Fix Arriving in Mid-October

This could be a big problem. SMS often contains sensitive information like banking alerts or private conversations. More importantly, it can break SMS-based Multi-Factor Authentication (MFA). Many services use SMS codes for security, but with this flaw, attackers could bypass that protection.

Affected Devices and Builds

Rapid7 confirmed the vulnerability on several OnePlus devices. These include the OnePlus 8T and the OnePlus 10 Pro 5G. The problem is not limited to one build. Multiple OxygenOS versions were tested, and the flaw was present in all of them.

For example:

OnePlus 8T (OxygenOS 12, build KB2003_11_C.33)

OnePlus 10 Pro 5G (OxygenOS 14 and 15, multiple builds)

The issue has been tracked under CVE-2025-10184. Rapid7 noted that OxygenOS 11 did not have this problem. This means the bug was introduced starting with OxygenOS 12.

Not a Hardware Problem

The firm also said that the flaw does not seem to be linked to hardware. Instead, it affects a core part of Android used by OnePlus. That means more devices running OxygenOS 12, 14, or 15 could also be vulnerable, even if they were not tested.

How OnePlus Responded

Rapid7 first reported the issue to OnePlus on May 1, 2025. They followed up several times but did not get a clear answer. The firm finally went public on September 23, 2025.

One day later, OnePlus responded. The company confirmed it is investigating the matter. Later, in a statement to 9to5Google, OnePlus said it has developed a fix. The update will start rolling out globally in mid-October. The company also promised to continue improving customer security.

What Users Should Do Until the Fix Arrives

Security experts at Rapid7 have given some advice for users.

Install apps only from trusted sources. Avoid unknown apps and remove non-essential ones. This reduces the risk of apps misusing the flaw. Switch away from SMS-based MFA. Use authenticator apps instead. They are more secure and do not depend on SMS. Use encrypted messaging apps. Services like WhatsApp or Signal provide end-to-end encryption, which is safer than SMS. Enable push notifications where possible. This prevents sensitive details from being sent via SMS.

Our Thoughts

This is a serious reminder that even big brands can face major security issues. If you own a OnePlus device with OxygenOS 12, 14, or 15, stay cautious until the patch is released. Following the above-mentioned ways to keep your personal data safe.

See Also: OnePlus 15 Set to Break Records With 165Hz Display, Executive Hints