OnePlus SMS Security Flaw Leaves Users Exposed Until October Update

OnePlus has long marketed itself with the bold slogan “Never Settle,” but for many of its users, recent news about a serious SMS vulnerability has left them feeling anything but secure. Cybersecurity firm Rapid7 disclosed a critical flaw affecting OnePlus smartphones running OxygenOS 12, 14, and 15 – including popular models like the OnePlus 8T and the OnePlus 10 Pro 5G. The problem? Malicious apps could potentially access SMS and MMS data on your device without permission, interaction, or even a notification.

In an era when text messages still serve as the backbone of multi-factor authentication (MFA), that’s not just a bug – it’s a serious threat to user security.

The issue, tracked under CVE-2025-10184, was first detected in May 2025. Rapid7 reached out to OnePlus immediately, but after months of back-and-forth, the firm went public with its findings in late September. Testing confirmed that several builds of OxygenOS had the flaw, while earlier OxygenOS 11 versions were not affected. That detail suggests the vulnerability was introduced with the rollout of OxygenOS 12 and has since persisted across newer versions. The flaw isn’t limited to a single model either – any OnePlus phone running those builds could be at risk.

Why is this so dangerous? SMS messages often contain sensitive data: banking codes, verification links, password resets, and private conversations. Since affected devices don’t alert the user when SMS data is accessed, the exploit effectively disables one of the last remaining barriers of SMS-based MFA. A hacker who manages to install a malicious app could silently bypass two-factor authentication protections and compromise accounts ranging from social media to online banking.

For many users, this revelation has reopened old wounds. OnePlus devices have previously faced criticism for reliability issues, such as the infamous green line display problem that haunted several models. Now, with security vulnerabilities piling on top of hardware complaints, some long-time fans feel the company is losing its way. As one frustrated user quipped online, “Never settle? More like never secure.” Others noted with sarcasm that the delay in patching the bug might be because the company “didn’t believe anyone was still using those phones.”

Rapid7 emphasized that this isn’t a hardware-specific issue but rather one buried deep within the Android-based OxygenOS. That means Oppo, OnePlus’s parent company, may also need to examine its ColorOS software, as some users wondered aloud if the same flaw could extend to other devices in the BBK ecosystem. The implications could ripple far beyond OnePlus if the vulnerability is indeed more widespread.

So, what is OnePlus doing about it? After staying silent through most of Rapid7’s outreach attempts, the company finally acknowledged the disclosure on September 24, one day after Rapid7 went public. In a statement to 9to5Google, a spokesperson confirmed that OnePlus had developed a fix and would begin rolling it out globally starting mid-October. That leaves several weeks where users of affected devices remain vulnerable. OnePlus insists it remains committed to user security, but the sluggish response has already frustrated many loyal customers who expect faster action when sensitive data is at stake.

Until the fix arrives, Rapid7 recommends several stopgap measures to minimize risk. First, users should only install apps from trusted sources such as the Google Play Store, removing any non-essential apps that could pose threats. Second, services relying on SMS-based MFA should be switched to authenticator apps wherever possible, reducing exposure to compromised text messages. Third, end-to-end encrypted messengers like Signal or WhatsApp should be favored over SMS for sensitive communication. Finally, where possible, notifications that usually come via SMS can often be switched to push notifications, further reducing the reliance on vulnerable text channels.

At the consumer level, this situation raises larger questions about smartphone security and brand responsibility. While it’s unrealistic to expect zero flaws in complex software, the timeline of this disclosure highlights a troubling disconnect between security researchers and manufacturers. Rapid7 contacted OnePlus on May 1, followed up multiple times, and waited nearly five months before resorting to public disclosure. In that time, countless users remained unknowingly exposed. A more proactive approach from manufacturers could prevent such scenarios, especially when dealing with vulnerabilities that compromise the very mechanisms designed to keep users safe.

Ultimately, the OxygenOS SMS flaw underscores a broader reality: SMS-based authentication is increasingly outdated and insecure. The industry has been slowly pivoting toward more secure methods like app-based authenticators and hardware tokens, but millions of people still depend on text messages for critical security functions. Until that shift is complete, flaws like CVE-2025-10184 will continue to expose users to unnecessary risks. For now, OnePlus owners will need to balance patience with vigilance – and maybe, for some, rethink whether “Never Settle” is still a motto worth trusting.