CVE-2025-10184

HIGH

OxygenOS 11.*-15.* - Unauthenticated SMS/MMS Data Exposure via Telephony Provider Permission Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-10184. PoCs published by yuuouu, People-11, Webpage-gh.

AI-analyzed exploit summary This repository contains a working PoC for CVE-2025-10184, a SQL injection vulnerability in OPPO's ColorOS and OxygenOS that allows arbitrary apps to read SMS data without permissions. The exploit leverages a '1=1 AND' database injection to bypass telephony provider restrictions.

Description

The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers.

Exploits (3)

nomisec WORKING POC 396 stars
by yuuouu · poc
https://github.com/yuuouu/ColorOS-CVE-2025-10184

This repository contains a working PoC for CVE-2025-10184, a SQL injection vulnerability in OPPO's ColorOS and OxygenOS that allows arbitrary apps to read SMS data without permissions. The exploit leverages a '1=1 AND' database injection to bypass telephony provider restrictions.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: OPPO ColorOS 6.0.1 to 15.0.2, OxygenOS (OnePlus, Realme)
No auth needed
Prerequisites: Device running vulnerable ColorOS/OxygenOS version · No special permissions required
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 53 stars
by People-11 · poc
https://github.com/People-11/CVE-2025-10184_PoC

This repository contains a proof-of-concept exploit for CVE-2025-10184, a permission bypass vulnerability in OPPO/OnePlus devices running ColorOS/OxygenOS. The exploit demonstrates unauthorized SMS data access via SQL injection in the telephony provider.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: OPPO/OnePlus devices with ColorOS 7.1+ or OxygenOS 12/14/15
No auth needed
Prerequisites: Android device with vulnerable OPPO/OnePlus firmware
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 1 stars
by Webpage-gh · javapoc
https://github.com/Webpage-gh/CVE-2025-10184-PoC

This repository contains a functional Android application that exploits a SQL injection vulnerability in OnePlus's implementation of com.android.providers.telephony. The PoC demonstrates blind SQL injection via content providers, specifically targeting 'content://service-number/service_number'.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: OnePlus OxygenOS 12/14/15 (com.android.providers.telephony)
No auth needed
Prerequisites: Android device with vulnerable OnePlus OxygenOS version · Access to the target content provider
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v4 8.2
EPSS 0.0367
EPSS Percentile 88.2%
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-862 CWE-89
Status published
Products (5)
OnePlus/OxygenOS 11.*
OnePlus/OxygenOS 12.*
OnePlus/OxygenOS 13.*
OnePlus/OxygenOS 14.*
OnePlus/OxygenOS 15.*
Published Sep 23, 2025
Tracked Since Feb 18, 2026