CVE-2025-10184

HIGH

Device - Info Disclosure

Title source: llm

Description

The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers.

Exploits (3)

nomisec WORKING POC 396 stars
by yuuouu · poc
https://github.com/yuuouu/ColorOS-CVE-2025-10184
nomisec WORKING POC 53 stars
by People-11 · poc
https://github.com/People-11/CVE-2025-10184_PoC
github WORKING POC 1 stars
by Webpage-gh · javapoc
https://github.com/Webpage-gh/CVE-2025-10184-PoC

References (2)

Scores

CVSS v4 8.2
EPSS 0.0016
EPSS Percentile 36.9%
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Details

CWE
CWE-862 CWE-89
Status published
Products (5)
OnePlus/OxygenOS 11.*
OnePlus/OxygenOS 12.*
OnePlus/OxygenOS 13.*
OnePlus/OxygenOS 14.*
OnePlus/OxygenOS 15.*
Published Sep 23, 2025
Tracked Since Feb 18, 2026