Attention all OnePlus smartphone users running OxygenOS 12, 14, or 15: a critical security vulnerability has been identified by cybersecurity firm Rapid7. This flaw could potentially grant unauthorized access to SMS and MMS data on your device without your knowledge or consent. The impact of this issue is significant, as it could compromise sensitive information and jeopardize SMS-based Multi-Factor Authentication (MFA) checks.
Rapid7 conducted tests on various OnePlus devices and OxygenOS builds, pinpointing the vulnerability within OxygenOS 12. Other models beyond those tested may also be at risk. OnePlus has been alerted about this concern since May 1, 2025, and a fix is expected to be released globally through a software update starting from mid-October.
In the meantime, users are advised to take precautionary measures such as only installing trusted apps, reviewing third-party services using SMS-based MFA, opting for end-to-end encrypted messenger apps, and considering in-app push notifications. For more information, refer to the full disclosure by Rapid7.
