CVE-2025-12080
Description
On Wear OS devices, when Google Messages is configured as the default SMS/MMS/RCS application, the handling of ACTION_SENDTO intents utilizing the sms:, smsto:, mms:, and mmsto: Uniform Resource Identifier (URI) schemes is incorrectly implemented. Due to this misconfiguration, an attacker capable of invoking an Android intent can exploit this vulnerability to send messages on the user’s behalf to arbitrary receivers without requiring any further user interaction or specific permissions. This allows for the silent and unauthorized transmission of messages from a compromised Wear OS device.
Weakness Type (CWE)
References
Other References
Frequently Asked Questions
What is CVE-2025-12080? +
How do I check if I'm vulnerable to CVE-2025-12080? +
Related Vulnerabilities
Roadiz is a polymorphic content management system based on a node system. Prior to versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18, …
stats is a macOS system monitor in for the menu bar. The Stats application is vulnerable to a local privilege …
Hickory DNS is a Rust based DNS client, server, and resolver. A vulnerability present starting in version 0.8.0 and prior …
RISC Zero is a general computing platform based on zk-STARKs and the RISC-V microarchitecture. Due to a missing constraint in …
Matrix JavaScript SDK is a Matrix Client-Server SDK for JavaScript and TypeScript. matrix-js-sdk before 38.2.0 has insufficient validation of room …
eGovFramework/egovframe-common-components versions up to and including 4.3.1 includes Web Editor image upload and related file delivery functionality that uses symmetric …