CVE-2025-10184

Device - Info Disclosure

Title source: llm

Description

The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers.

Exploits (3)

nomisec WORKING POC 396 stars
by yuuouu · poc
https://github.com/yuuouu/ColorOS-CVE-2025-10184
nomisec WORKING POC 53 stars
by People-11 · poc
https://github.com/People-11/CVE-2025-10184_PoC
github WORKING POC 1 stars
by Webpage-gh · javapoc
https://github.com/Webpage-gh/CVE-2025-10184-PoC

References (2)

Scores

EPSS 0.0015
EPSS Percentile 35.4%

Classification

CWE
CWE-862 CWE-89
Status draft

Timeline

Published Sep 23, 2025
Tracked Since Feb 18, 2026